Dear Wil, Your email was fascinating. Thank you
Sent with ProtonMail Secure Email. ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Wednesday, November 6, 2019 3:15 AM, <[email protected]> wrote: > Send bind-users mailing list submissions to > [email protected] > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.isc.org/mailman/listinfo/bind-users > or, via email, send a message with subject or body 'help' to > [email protected] > > You can reach the person managing the list at > [email protected] > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of bind-users digest..." > > Today's Topics: > > 1. Query failed (timed out) (Wilfred Sarmiento) > 2. Re: Query failed (timed out) (Daniel Stirnimann) > 3. Re: Query failed (timed out) (Mark Andrews) > 4. Re: Query failed (timed out) (Wilfred Sarmiento) > > > Message: 1 > Date: Wed, 6 Nov 2019 15:32:48 +0800 > From: Wilfred Sarmiento [email protected] > To: [email protected] > Subject: Query failed (timed out) > Message-ID: > caclugzt37g_8bjynyg-ye+u8ucqyuvhcbpvyoxmwsyatiqe...@mail.gmail.com > > Content-Type: text/plain; charset="utf-8" > > Hi Bind Users, > > Anyone have a similar issue we are encountering with the subdomain of > Barclays.com specifically federate.secure.barclays.com > Our cache server could not resolve the said subdomain, but was able to > resolve their root domain barclays.com and any other known domains. > Debug just showed below little details of logs. > That subdomain was resolvable using Google DNS and other OpenDNS. > > client @0x7f6a14a7b6a0 xxx.xxx.xxx.xxx#63852 (federate.secure.barclays.com): > query: federate.secure.barclays.com IN A + (x.x.x.x) > > client @0x7f6a4a4cd070 xxx.xxx.xxx.xxx#63852 (federate.secure.barclays.com): > query: federate.secure.barclays.com IN A + (x.x.x.x) > > client @0x7f6a14a7b6a0 xxx.xxx.xxx.xxx#63852 (federate.secure.barclays.com): > query failed (timed out) for federate.secure.barclays.com/IN/A at > query.c:6786 > > client @0x7f6a31216e30 xxx.xxx.xxx.xxx#63852 (federate.secure.barclays.com): > query: federate.secure.barclays.com IN A + (x.x.x.x) > > client @0x7f6a31216e30 xxx.xxx.xxx.xxx#63852 (federate.secure.barclays.com): > query failed (timed out) for federate.secure.barclays.com/IN/A at > query.c:6786 > > Thank you, > > Wil > > --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- > > This e-mail message (including attachments, if any) is intended for the use > of the individual or the entity to whom it is addressed and may contain > information that is privileged, proprietary, confidential and exempt from > disclosure. If you are not the intended recipient, you are notified that > any dissemination, distribution or copying of this communication is > strictly prohibited. If you have received this communication in error, > please notify the sender and delete this E-mail message immediately. > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > https://lists.isc.org/pipermail/bind-users/attachments/20191106/7228a0d3/attachment-0001.htm > > -- > > Message: 2 > Date: Wed, 6 Nov 2019 08:50:31 +0100 > From: Daniel Stirnimann [email protected] > To: Wilfred Sarmiento [email protected], > > <[email protected]> > > > Subject: Re: Query failed (timed out) > Message-ID: [email protected] > Content-Type: text/plain; charset="utf-8" > > federate.secure.barclays.com. is a CNAME pointing to > federate-secure.glbaa.barclays.com > > The authoritative name servers for federate-secure.glbaa.barclays.com > are broken: > > glbaa.barclays.com. 900 IN NS ns24.barclays.net. > glbaa.barclays.com. 900 IN NS ns22.barclays.net. > glbaa.barclays.com. 900 IN NS ns23.barclays.com. > glbaa.barclays.com. 900 IN NS ns21.barclays.com > > They only seem to respond to A, AAAA queries. Everything else times out. > Queries with EDNS Cookies (RFC7873) timeout as well. > > You should be able to work around this by adding this to named.conf > > server 157.83.126.246 { send-cookie false; }; > server 157.83.102.246 { send-cookie false; }; > server 157.83.126.245 { send-cookie false; }; > server 157.83.102.245 { send-cookie false; }; > > See also > https://ftp.isc.org/isc/bind9/9.14.0/doc/arm/Bv9ARM.ch05.html#server_statement_grammar > > Daniel > > On 06.11.19 08:32, Wilfred Sarmiento via bind-users wrote: > > > Hi Bind Users, > > Anyone have a similar issue we are encountering with the subdomain of > > Barclays.com specifically federate.secure.barclays.com > > http://federate.secure.barclays.com > > Our cache server could not resolve the said subdomain, but was able to > > resolve their root domain barclays.com http://barclays.com and any > > other known domains.? > > Debug just showed below little details of logs.? > > That subdomain was resolvable using Google DNS and other OpenDNS. > > client @0x7f6a14a7b6a0 xxx.xxx.xxx.xxx#63852 > > (federate.secure.barclays.com): query: federate.secure.barclays.com IN A > > > > - (x.x.x.x) > > > > client @0x7f6a4a4cd070 xxx.xxx.xxx.xxx#63852 > > (federate.secure.barclays.com): query: federate.secure.barclays.com IN A > > > > - (x.x.x.x) > > > > client @0x7f6a14a7b6a0 xxx.xxx.xxx.xxx#63852 > > (federate.secure.barclays.com): query failed (timed out) for > > federate.secure.barclays.com/IN/A at query.c:6786 > > client @0x7f6a31216e30 xxx.xxx.xxx.xxx#63852 > > (federate.secure.barclays.com): query: federate.secure.barclays.com IN A > > > > - (x.x.x.x) > > > > client @0x7f6a31216e30 xxx.xxx.xxx.xxx#63852 > > (federate.secure.barclays.com): query failed (timed out) for > > federate.secure.barclays.com/IN/A at query.c:6786 > > Thank you, > > *Wil > > * > > This e-mail message (including attachments, if any) is intended for the > > use of the individual or the entity to whom it is addressed and may > > contain information that is privileged, proprietary, confidential and > > exempt from disclosure. If you are not the intended recipient, you are > > notified that any dissemination, distribution or copying of this > > communication is strictly prohibited. If you have received this > > communication in error, please notify the sender and delete this E-mail > > message immediately. > > > > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > > unsubscribe from this list > > bind-users mailing list > > [email protected] > > https://lists.isc.org/mailman/listinfo/bind-users > > -- > > Message: 3 > Date: Wed, 6 Nov 2019 18:52:14 +1100 > From: Mark Andrews [email protected] > To: Wilfred Sarmiento [email protected], > > [email protected], [email protected] > > > Cc: [email protected] > Subject: Re: Query failed (timed out) > Message-ID: [email protected] > Content-Type: text/plain; charset=us-ascii > > The DNS servers for federate-secure.glbaa.barclays.com are broken which > is what federate.secure.barclays.com points to. They do not respond to > queries with EDNS options present and named sends a DNS COOKIE EDNS option > by default. > > You can work around this by specifying > > server 157.83.102.245 { send-cookie no; }; > > and similarly for all the other IP addresses of the GLB but the real fix > is for Barclays to deploy RFC compliant DNS servers. Their servers nominally > support EDNS and unknown EDNS options are supposed to be ignored, not cause > the query to be dropped. > > % dig federate-secure.glbaa.barclays.com +nocookie @157.83.102.245 > > ; <<>> DiG 9.15.4+hotspot+add-prefetch+marka <<>> > federate-secure.glbaa.barclays.com +nocookie @157.83.102.245 > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62156 > ;; flags: qr aa rd ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 > ;; WARNING: recursion requested but not available > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 4096 > ;; QUESTION SECTION: > ;federate-secure.glbaa.barclays.com. IN A > > ;; ANSWER SECTION: > federate-secure.glbaa.barclays.com. 30 IN A 157.83.124.48 > > ;; Query time: 356 msec > ;; SERVER: 157.83.102.245#53(157.83.102.245) > ;; WHEN: Wed Nov 06 18:49:20 AEDT 2019 > ;; MSG SIZE rcvd: 79 > > % dig federate-secure.glbaa.barclays.com @157.83.102.245 > > ; <<>> DiG 9.15.4+hotspot+add-prefetch+marka <<>> > federate-secure.glbaa.barclays.com @157.83.102.245 > ;; global options: +cmd > ;; connection timed out; no servers could be reached > > [beetle:~/git/bind9] marka% dig federate-secure.glbaa.barclays.com +nocookie > @157.83.102.245 > > ; <<>> DiG 9.15.4+hotspot+add-prefetch+marka <<>> > federate-secure.glbaa.barclays.com +nocookie @157.83.102.245 > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20094 > ;; flags: qr aa rd ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 > ;; WARNING: recursion requested but not available > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 4096 > ;; QUESTION SECTION: > ;federate-secure.glbaa.barclays.com. IN A > > ;; ANSWER SECTION: > federate-secure.glbaa.barclays.com. 30 IN A 157.83.124.48 > > ;; Query time: 383 msec > ;; SERVER: 157.83.102.245#53(157.83.102.245) > ;; WHEN: Wed Nov 06 18:50:19 AEDT 2019 > ;; MSG SIZE rcvd: 79 > > % > > > On 6 Nov 2019, at 18:32, Wilfred Sarmiento via bind-users > > [email protected] wrote: > > Hi Bind Users, > > Anyone have a similar issue we are encountering with the subdomain of > > Barclays.com specifically federate.secure.barclays.com > > Our cache server could not resolve the said subdomain, but was able to > > resolve their root domain barclays.com and any other known domains. > > Debug just showed below little details of logs. > > That subdomain was resolvable using Google DNS and other OpenDNS. > > client @0x7f6a14a7b6a0 xxx.xxx.xxx.xxx#63852 > > (federate.secure.barclays.com): query: federate.secure.barclays.com IN A + > > (x.x.x.x) > > client @0x7f6a4a4cd070 xxx.xxx.xxx.xxx#63852 > > (federate.secure.barclays.com): query: federate.secure.barclays.com IN A + > > (x.x.x.x) > > client @0x7f6a14a7b6a0 xxx.xxx.xxx.xxx#63852 > > (federate.secure.barclays.com): query failed (timed out) for > > federate.secure.barclays.com/IN/A at query.c:6786 > > client @0x7f6a31216e30 xxx.xxx.xxx.xxx#63852 > > (federate.secure.barclays.com): query: federate.secure.barclays.com IN A + > > (x.x.x.x) > > client @0x7f6a31216e30 xxx.xxx.xxx.xxx#63852 > > (federate.secure.barclays.com): query failed (timed out) for > > federate.secure.barclays.com/IN/A at query.c:6786 > > Thank you, > > Wil > > This e-mail message (including attachments, if any) is intended for the use > > of the individual or the entity to whom it is addressed and may contain > > information that is privileged, proprietary, confidential and exempt from > > disclosure. If you are not the intended recipient, you are notified that > > any dissemination, distribution or copying of this communication is > > strictly prohibited. If you have received this communication in error, > > please notify the sender and delete this E-mail message immediately. > > > > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > > unsubscribe from this list > > bind-users mailing list > > [email protected] > > https://lists.isc.org/mailman/listinfo/bind-users > > -- > > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: [email protected] > > > -------------------------------------------------------------------------------------------------------------------- > > Message: 4 > Date: Wed, 6 Nov 2019 16:14:32 +0800 > From: Wilfred Sarmiento [email protected] > To: Daniel Stirnimann [email protected] > Cc: [email protected] > Subject: Re: Query failed (timed out) > Message-ID: > caclugzrivgeoytbft5wpzm35xkvjpnee2ntm06lgszdpiqg...@mail.gmail.com > Content-Type: text/plain; charset="utf-8" > > Hi Daniel, > > The workaround works, does BIND 9.14 has a patch to resolve this? Since we > have a multiple Cache server, we need to do this every time we encounter > another domain that has this same issue. > > Thank you! > > Wil > > On Wed, Nov 6, 2019 at 3:50 PM Daniel Stirnimann < > [email protected]> wrote: > > > federate.secure.barclays.com. is a CNAME pointing to > > federate-secure.glbaa.barclays.com > > The authoritative name servers for federate-secure.glbaa.barclays.com > > are broken: > > glbaa.barclays.com. 900 IN NS ns24.barclays.net. > > glbaa.barclays.com. 900 IN NS ns22.barclays.net. > > glbaa.barclays.com. 900 IN NS ns23.barclays.com. > > glbaa.barclays.com. 900 IN NS ns21.barclays.com > > They only seem to respond to A, AAAA queries. Everything else times out. > > Queries with EDNS Cookies (RFC7873) timeout as well. > > You should be able to work around this by adding this to named.conf > > server 157.83.126.246 { send-cookie false; }; > > server 157.83.102.246 { send-cookie false; }; > > server 157.83.126.245 { send-cookie false; }; > > server 157.83.102.245 { send-cookie false; }; > > See also > > https://ftp.isc.org/isc/bind9/9.14.0/doc/arm/Bv9ARM.ch05.html#server_statement_grammar > > Daniel > > On 06.11.19 08:32, Wilfred Sarmiento via bind-users wrote: > > > > > Hi Bind Users, > > > Anyone have a similar issue we are encountering with the subdomain of > > > Barclays.com specifically federate.secure.barclays.com > > > http://federate.secure.barclays.com > > > Our cache server could not resolve the said subdomain, but was able to > > > resolve their root domain barclays.com http://barclays.com and any > > > other known domains. > > > Debug just showed below little details of logs. > > > That subdomain was resolvable using Google DNS and other OpenDNS. > > > client @0x7f6a14a7b6a0 xxx.xxx.xxx.xxx#63852 > > > (federate.secure.barclays.com): query: federate.secure.barclays.com IN A > > > > > > - (x.x.x.x) > > > > > > client @0x7f6a4a4cd070 xxx.xxx.xxx.xxx#63852 > > > (federate.secure.barclays.com): query: federate.secure.barclays.com IN A > > > > > > - (x.x.x.x) > > > > > > client @0x7f6a14a7b6a0 xxx.xxx.xxx.xxx#63852 > > > (federate.secure.barclays.com): query failed (timed out) for > > > federate.secure.barclays.com/IN/A at query.c:6786 > > > client @0x7f6a31216e30 xxx.xxx.xxx.xxx#63852 > > > (federate.secure.barclays.com): query: federate.secure.barclays.com IN A > > > > > > - (x.x.x.x) > > > > > > client @0x7f6a31216e30 xxx.xxx.xxx.xxx#63852 > > > (federate.secure.barclays.com): query failed (timed out) for > > > federate.secure.barclays.com/IN/A at query.c:6786 > > > Thank you, > > > *Wil > > > * > > > This e-mail message (including attachments, if any) is intended for the > > > use of the individual or the entity to whom it is addressed and may > > > contain information that is privileged, proprietary, confidential and > > > exempt from disclosure. If you are not the intended recipient, you are > > > notified that any dissemination, distribution or copying of this > > > communication is strictly prohibited. If you have received this > > > communication in error, please notify the sender and delete this E-mail > > > message immediately. > > > > > > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > > > unsubscribe from this list > > > bind-users mailing list > > > [email protected] > > > https://lists.isc.org/mailman/listinfo/bind-users > > -- > > This e-mail message (including attachments, if any) is intended for the use > of the individual or the entity to whom it is addressed and may contain > information that is privileged, proprietary, confidential and exempt from > disclosure. If you are not the intended recipient, you are notified that > any dissemination, distribution or copying of this communication is > strictly prohibited. If you have received this communication in error, > please notify the sender and delete this E-mail message immediately. > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > https://lists.isc.org/pipermail/bind-users/attachments/20191106/3fa80db8/attachment.htm > > -- > > Subject: Digest Footer > > bind-users mailing list > [email protected] > https://lists.isc.org/mailman/listinfo/bind-users > > > ---------------------------------------------------------------------------------------------------- > > End of bind-users Digest, Vol 3297, Issue 1 _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list [email protected] https://lists.isc.org/mailman/listinfo/bind-users

