From Newsgroup: comp.protocols.dns.bind
--_000_5018dc929e8043cb885c1ad55bfc560cinwima_
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
Thank you, Andrews.
________________________________
De : Mark Andrews <
marka@isc.org>
Envoy=E9 : mercredi 29 juillet 2020 02:15:24
=C0 : Youssef Fassi Fihri
Cc :
bind-users@lists.isc.org
Objet : Re: broken trust chain
A network link that is dropping packets can trigger EDNS failures in versio=
ns of
BIND before 9.13.3. These versions have code to compensate for servers tha=
t
fail to respond to EDNS queries or fail to respond to EDNS queries with DO= =3D1
or fail to respond to queries with (particular) EDNS options set. BIND woul=
d
fallback to plain DNS queries to workaround these issues, but that broke
DNSSEC when the answers where coming from a signed zone and the packet loss
is due to network issues.
5029. [func] Workarounds for servers that misbehave when queried
with EDNS have been removed, because these broken
servers and the workarounds for their noncompliance
cause unnecessary delays, increase code complexity,
and prevent deployment of new DNS features. See
https://dnsflagday.net for further details. [GL #15=
0]
On 29 Jul 2020, at 09:10, <Youssef.FassiFihri@inwi.ma> <Youssef.FassiFihr=
i@inwi.ma> wrote:
Hi All,
I am using Bind as resolver for end users .
At various time, bind logs show "broken trust chain" continuously , for =
about 20mn ~ 30 mn causing an increase of "recursive clients" shown in "rn=
dc status" and a decrease of "DNS sucess rate KPI" supervised from end use=
rs side. then the error disappear and everything is OK.
the problem appears on different server at different time.
What could be the problem?
Regards,
=AB Ce message et toutes les pi=E8ces y jointes sont susceptibles de cont=
enir des informations confidentielles ou privil=E9gi=E9es, lesquelles ne do= ivent =EAtre reproduites, diffus=E9es ou exploit=E9es sans autorisation. L= =92int=E9grit=E9 des messages =E9lectroniques n=92=E9tant pas garantie, WAN=
A CORPORATE d=E9cline toute responsabilit=E9 dans le cas o=F9 ce message au= rait =E9t=E9 alt=E9r=E9, d=E9form=E9 ou falsifi=E9.
Ce message est =E9tabli =E0 l'attention exclusive de ses destinataires. S=
i vous avez re=E7u ce message par erreur, veuillez le signaler =E0 l=92exp= =E9diteur et le d=E9truire y compris les pi=E8ces jointes.
Merci. =BB
-------------------------------------------------------------------------=
---------------------------------------------------------------------------= ---------------------------------------------------------------------------= -------------------------
=AB This message and its attachments may contain confidential or privileg=
ed information that should not be copied, distributed or used without autho= rization. As the integrity of emails may not be guaranteed, WANA CORPORATE =
is not liable for messages that have been modified, changed or falsified.
If you have received this email in error, please notify the sender and de=
lete this message and its attachments.
Thank you. =BB
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubsc=
ribe from this list
ISC funds the development of this software with paid support subscription=
s. Contact us at
https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET:
marka@isc.org
________________________________
=AB Ce message et toutes les pi=E8ces y jointes sont susceptibles de conten=
ir des informations confidentielles ou privil=E9gi=E9es, lesquelles ne doiv= ent =EAtre reproduites, diffus=E9es ou exploit=E9es sans autorisation. L=92= int=E9grit=E9 des messages =E9lectroniques n=92=E9tant pas garantie, WANA C= ORPORATE d=E9cline toute responsabilit=E9 dans le cas o=F9 ce message aurai=
t =E9t=E9 alt=E9r=E9, d=E9form=E9 ou falsifi=E9.
Ce message est =E9tabli =E0 l'attention exclusive de ses destinataires. Si = vous avez re=E7u ce message par erreur, veuillez le signaler =E0 l=92exp=E9= diteur et le d=E9truire y compris les pi=E8ces jointes.
Merci. =BB
---------------------------------------------------------------------------= ---------------------------------------------------------------------------= ---------------------------------------------------------------------------= -----------------------
=AB This message and its attachments may contain confidential or privileged=
information that should not be copied, distributed or used without authori= zation. As the integrity of emails may not be guaranteed, WANA CORPORATE is=
not liable for messages that have been modified, changed or falsified.
If you have received this email in error, please notify the sender and dele=
te this message and its attachments.
Thank you. =BB
--_000_5018dc929e8043cb885c1ad55bfc560cinwima_
Content-Type: text/html; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
<html>
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3DWindows-1= 252">
<meta name=3D"Generator" content=3D"Microsoft Exchange Server">
<!-- converted from text --><style><!-- .EmailQuote { margin-left: 1pt; pad= ding-left: 4pt; border-left: #800000 2px solid; } --></style>
</head>
<body>
<meta content=3D"text/html; charset=3DUTF-8">
<style type=3D"text/css" style=3D"">
<!--
p
{margin-top:0;
margin-bottom:0}
</style>
<div dir=3D"ltr">
<div id=3D"x_divtagdefaultwrapper" dir=3D"ltr" style=3D"font-size:12pt; col= or:#000000; font-family:Calibri,Helvetica,sans-serif">
<p>Thank you, Andrews.<br>
<p><br>
</div>
<hr tabindex=3D"-1" style=3D"display:inline-block; width:98%">
<div id=3D"x_divRplyFwdMsg" dir=3D"ltr"><font face=3D"Calibri, sans-serif" = color=3D"#000000" style=3D"font-size:11pt"><b>De :</b> Mark Andrews <mar=
ka@isc.org><br>
<b>Envoy=E9 :</b> mercredi 29 juillet 2020 02:15:24<br>
<b>=C0 :</b> Youssef Fassi Fihri<br>
<b>Cc :</b>
bind-users@lists.isc.org<br>
<b>Objet :</b> Re: broken trust chain</font>
<div> </div>
</div>
</div>
<font size=3D"2"><span style=3D"font-size:10pt;">
<div class=3D"PlainText">A network link that is dropping packets can trigge=
r EDNS failures in versions of<br>
BIND before 9.13.3. These versions have code to compensate for server=
s that<br>
fail to respond to EDNS queries or fail to respond to EDNS queries with DO= =3D1<br>
or fail to respond to queries with (particular) EDNS options set. BIND woul= d<br>
fallback to plain DNS queries to workaround these issues, but that broke<br=
DNSSEC when the answers where coming from a signed zone and the packet loss=
is due to network issues.<br>
5029. [func] &nb= sp; Workarounds for servers that misbehave when queried<br> &nb= sp; with EDNS h= ave been removed, because these broken<br> &nb= sp; servers and=
the workarounds for their noncompliance<br> &nb= sp; cause unnec= essary delays, increase code complexity,<br> &nb= sp; and prevent=
deployment of new DNS features. See<br> &nb= sp; <a href=3D"=
https://dnsflagday.net">https://dnsflagday.net</a> for further details. [GL=
#150]<br>
> On 29 Jul 2020, at 09:10, <
Youssef.FassiFihri@inwi.ma> <Youss=
ef.FassiFihri@inwi.ma> wrote:<br>
> <br>
> Hi All,<br>
> <br>
> I am using Bind as resolver for end users .<br>
> <br>
> At various time, bind logs show "broken trust chain" continu= ously , for about 20mn ~ 30 mn causing an increase of "rec= ursive clients" shown in "rndc status" and a decrease of&nbs=
p; "DNS sucess rate KPI" supervised from end users side. th=
en the error disappear
and everything is OK.<br>
> <br>
> the problem appears on different server at different time.<br>
> <br>
> What could be the problem?<br>
> <br>
> Regards, <br>
> <br>
> <br>
> =AB Ce message et toutes les pi=E8ces y jointes sont susceptibles de c= ontenir des informations confidentielles ou privil=E9gi=E9es, lesquelles ne=
doivent =EAtre reproduites, diffus=E9es ou exploit=E9es sans autorisation.=
L=92int=E9grit=E9 des messages =E9lectroniques n=92=E9tant pas
garantie, WANA CORPORATE d=E9cline toute responsabilit=E9 dans le cas o=F9=
ce message aurait =E9t=E9 alt=E9r=E9, d=E9form=E9 ou falsifi=E9.<br>
> <br>
> Ce message est =E9tabli =E0 l'attention exclusive de ses destinataires=
. Si vous avez re=E7u ce message par erreur, veuillez le signaler =E0 l=92e= xp=E9diteur et le d=E9truire y compris les pi=E8ces jointes.<br>
> <br>
> Merci. =BB<br>
> <br>
> ----------------------------------------------------------------------= ---------------------------------------------------------------------------= ---------------------------------------------------------------------------= ----------------------------<br>
> <br>
> =AB This message and its attachments may contain confidential or privi= leged information that should not be copied, distributed or used without au= thorization. As the integrity of emails may not be guaranteed, WANA CORPORA=
TE is not liable for messages that have
been modified, changed or falsified.<br>
> <br>
> If you have received this email in error, please notify the sender and=
delete this message and its attachments.<br>
> <br>
> Thank you. =BB<br>
> <br>
> _______________________________________________<br>
> Please visit <a href=3D"
https://lists.isc.org/mailman/listinfo/bind-us= ers">
https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe f= rom this list<br>
> <br>
> ISC funds the development of this software with paid support subscript= ions. Contact us at
<a href=3D"
https://www.isc.org/contact/">https://www.isc.org/contact/</a> f=
or more information.<br>
> <br>
> <br>
> bind-users mailing list<br>
>
bind-users@lists.isc.org<br>
> <a href=3D"
https://lists.isc.org/mailman/listinfo/bind-users">https://= lists.isc.org/mailman/listinfo/bind-users</a><br>
-- <br>
Mark Andrews, ISC<br>
1 Seymour St., Dundas Valley, NSW 2117, Australia<br>
PHONE: +61 2 9871 4742 &= nbsp; INTERNET:
marka@isc.org<br>
</div>
</span></font><br>
<font face=3D"Arial" color=3D"Gray" size=3D"2"><br>
=AB Ce message et toutes les pi=E8ces y jointes sont susceptibles de conten=
ir des informations confidentielles ou privil=E9gi=E9es, lesquelles ne doiv= ent =EAtre reproduites, diffus=E9es ou exploit=E9es sans autorisation. L=92= int=E9grit=E9 des messages =E9lectroniques n=92=E9tant pas
garantie, WANA CORPORATE d=E9cline toute responsabilit=E9 dans le cas o=F9=
ce message aurait =E9t=E9 alt=E9r=E9, d=E9form=E9 ou falsifi=E9.<br>
Ce message est =E9tabli =E0 l'attention exclusive de ses destinataires. Si = vous avez re=E7u ce message par erreur, veuillez le signaler =E0 l=92exp=E9= diteur et le d=E9truire y compris les pi=E8ces jointes.<br>
Merci. =BB<br>
---------------------------------------------------------------------------= ---------------------------------------------------------------------------= ---------------------------------------------------------------------------= -----------------------<br>
=AB This message and its attachments may contain confidential or privileged=
information that should not be copied, distributed or used without authori= zation. As the integrity of emails may not be guaranteed, WANA CORPORATE is=
not liable for messages that have
been modified, changed or falsified.<br>
If you have received this email in error, please notify the sender and dele=
te this message and its attachments.<br>
Thank you. =BB<br>
</font>
</body>
</html>
--_000_5018dc929e8043cb885c1ad55bfc560cinwima_--
--- Synchronet 3.18a-Linux NewsLink 1.113