Re: Strange DNS problem
Thanks > On 13 Jun 2019, at 1:17 am, Rune Hassel wrote: > > Hi! > > This problem should now be completely resolved. > > Regards > Rune Hassel > > > -Original Message- > From: Mark Andrews > Sent: Tuesday, June 11, 2019 6:08 AM > To: Jukka Pakkanen > Cc: Stephane Bortzmeyer ; c...@cam.ac.uk; > bind-us...@isc.org; hostmas...@datatower.fi > Subject: Re: Strange DNS problem > > You solve that by complaining to the operators of the servers that their DNS > servers mis-implement DNS COOKIE (RFC 7873) and could they request a fix from > their DNS vendor. > > Not that they make things easy to contact them. No email in whois. Just a > PO box and a phone number and I don’t intend to call it from here. > > name...: DATATOWER AB > register number: 0708753-2 > address: PB 144 > address: 67101 > address: KOKKOLA > country: Finland > phone..: +358 20 7789 564 > holder email...: > > https://datatower.fi is just a login form with a bad CERT (for > mail.datatower.fi). > > Mark > >> On 11 Jun 2019, at 4:36 am, Jukka Pakkanen wrote: >> >> Yeah, another advertising company turned to an ISP... >> >> Solved *our* problem now by including the suggested server clause for both >> of their broken servers, to our servers. Of course does not solve the real >> problem, the broken servers of theirs. >> >> Thanks for help. >> >> Jukka >> >> -Original Message- >> From: Stephane Bortzmeyer >> Sent: 10. kesäkuuta 2019 20:01 >> To: Jukka Pakkanen >> Cc: c...@cam.ac.uk; bind-us...@isc.org >> Subject: Re: Strange DNS problem >> >> On Mon, Jun 10, 2019 at 05:43:02PM +, Jukka Pakkanen >> wrote a message of 58 lines which said: >> >>> Then, unfortunately our nameservers won't resolve ns.kpk.fi either. >> >> Same authoritative name server, same problem. See my email. >> >> % dig @ns.datatower.fi. NS kpk.fi. >> >> ;; Warning: Client COOKIE mismatch >> >> ___ >> Please visit https://lists.isc.org/mailman/listinfo/bind-users to >> unsubscribe from this list >> >> bind-users mailing list >> bind-users@lists.isc.org >> https://lists.isc.org/mailman/listinfo/bind-users > > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org > > -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Strange DNS problem
You solve that by complaining to the operators of the servers that their DNS servers mis-implement DNS COOKIE (RFC 7873) and could they request a fix from their DNS vendor. Not that they make things easy to contact them. No email in whois. Just a PO box and a phone number and I don’t intend to call it from here. name...: DATATOWER AB register number: 0708753-2 address: PB 144 address: 67101 address: KOKKOLA country: Finland phone..: +358 20 7789 564 holder email...: https://datatower.fi is just a login form with a bad CERT (for mail.datatower.fi). Mark > On 11 Jun 2019, at 4:36 am, Jukka Pakkanen wrote: > > Yeah, another advertising company turned to an ISP... > > Solved *our* problem now by including the suggested server clause for both of > their broken servers, to our servers. Of course does not solve the real > problem, the broken servers of theirs. > > Thanks for help. > > Jukka > > -Original Message- > From: Stephane Bortzmeyer > Sent: 10. kesäkuuta 2019 20:01 > To: Jukka Pakkanen > Cc: c...@cam.ac.uk; bind-us...@isc.org > Subject: Re: Strange DNS problem > > On Mon, Jun 10, 2019 at 05:43:02PM +, Jukka Pakkanen > wrote a message of 58 lines which said: > >> Then, unfortunately our nameservers won't resolve ns.kpk.fi either. > > Same authoritative name server, same problem. See my email. > > % dig @ns.datatower.fi. NS kpk.fi. > > ;; Warning: Client COOKIE mismatch > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Strange DNS problem
Yeah, another advertising company turned to an ISP... Solved *our* problem now by including the suggested server clause for both of their broken servers, to our servers. Of course does not solve the real problem, the broken servers of theirs. Thanks for help. Jukka -Original Message- From: Stephane Bortzmeyer Sent: 10. kesäkuuta 2019 20:01 To: Jukka Pakkanen Cc: c...@cam.ac.uk; bind-us...@isc.org Subject: Re: Strange DNS problem On Mon, Jun 10, 2019 at 05:43:02PM +, Jukka Pakkanen wrote a message of 58 lines which said: > Then, unfortunately our nameservers won't resolve ns.kpk.fi either. Same authoritative name server, same problem. See my email. % dig @ns.datatower.fi. NS kpk.fi. ;; Warning: Client COOKIE mismatch ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Strange DNS problem
On Mon, Jun 10, 2019 at 05:43:02PM +, Jukka Pakkanen wrote a message of 58 lines which said: > Then, unfortunately our nameservers won't resolve ns.kpk.fi either. Same authoritative name server, same problem. See my email. % dig @ns.datatower.fi. NS kpk.fi. ;; Warning: Client COOKIE mismatch ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Strange DNS problem
-Original Message- From: Chris Thompson On Behalf Of Chris Thompson Sent: 10. kesäkuuta 2019 17:30 To: Jukka Pakkanen Cc: bind-us...@isc.org Subject: Re: Strange DNS problem On Jun 10 2019, Jukka Pakkanen wrote: >We have a strange problem related to DNS services, maybe someone here >have a clue what could be the problem. […] >An example, the client domain is raimoasikainenoy.fi. Well, there is certainly something wrong with ns.datatower.fi [193.184.54.212], as it consistently returns server cookies that bear no relationship to the client cookie sent in the query, and in fact I get *exactly* the same one as you report: >; <<>> DiG 9.14.2 <<>> @193.184.54.212 raimoasikainenoy.fi ns ; (1 >server found) ;; global options: +cmd ;; Got answer: >;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14591 ;; flags: qr >aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 3 ;; WARNING: >recursion requested but not available > >;; OPT PSEUDOSECTION: >; EDNS: version: 0, flags:; udp: 4096 >; COOKIE: a0ff0c014f65b471e0b8b271e7bab2718129c071 (bad) every time! (Use +qr to show the client cookie sent by dig.) I expect you could work around this by specifying server 193.184.54.212 { send-cookie no; }; in your named.conf, but it seems to me that BIND 9.14 ought to be able to fall back on using ns.kpk.fi [192.130.183.74] which doesn't have this server cookie problem. -- Chris Thompson Email: c...@cam.ac.uk Then, unfortunately our nameservers won't resolve ns.kpk.fi either. So even if the fall back works, as I suppose it does, it does not help here. ; <<>> DiG 9.14.2 <<>> @ns1.qnet.fi ns.kpk.fi ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 64299 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: 5fdcace005523ca0f1b0c9c95cfe96f17497773ef05635e1 (good) ;; QUESTION SECTION: ;ns.kpk.fi. IN A ;; Query time: 0 msec ;; SERVER: 62.142.220.5#53(62.142.220.5) ;; WHEN: Mon Jun 10 20:44:17 FLE Daylight Time 2019 ;; MSG SIZE rcvd: 66 And again when inquiring directly with the IP of ns.kpk.fi, we do get an answer: ; <<>> DiG 9.14.2 <<>> @192.130.183.74 ns.kpk.fi ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50365 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: ef9a3009864a202e5dfe5cfe9648adfe8be2561def4d (good) ;; QUESTION SECTION: ;ns.kpk.fi. IN A ;; ANSWER SECTION: ns.kpk.fi. 600 IN A 192.130.183.74 ;; Query time: 31 msec ;; SERVER: 192.130.183.74#53(192.130.183.74) ;; WHEN: Mon Jun 10 20:45:48 FLE Daylight Time 2019 ;; MSG SIZE rcvd: 82 Jukka Maybe because the "lue.keskipohjanmaa.com" NS server for this kpk.fi domain, also seems to be having this cookie problem: ;; Warning: Client COOKIE mismatch ; <<>> DiG 9.14.2 <<>> @192.130.183.69 ns.kpk.fi ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39629 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: a0ffec004f65b471e0b8b271e7bab2718129c071 (bad) ;; QUESTION SECTION: ;ns.kpk.fi. IN A ;; ANSWER SECTION: ns.kpk.fi. 600 IN A 192.130.183.74 ;; AUTHORITY SECTION: kpk.fi. 600 IN NS lue.keskipohjanmaa.com. kpk.fi. 600 IN NS ns.datatower.fi. ;; ADDITIONAL SECTION: ns.datatower.fi.3600IN A 193.184.54.212 lue.keskipohjanmaa.com. 3600IN A 192.130.183.69 ;; Query time: 31 msec ;; SERVER: 192.130.183.69#53(192.130.183.69) ;; WHEN: Mon Jun 10 20:59:44 FLE Daylight Time 2019 ;; MSG SIZE rcvd: 177 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Strange DNS problem
-Original Message- From: Chris Thompson On Behalf Of Chris Thompson Sent: 10. kesäkuuta 2019 17:30 To: Jukka Pakkanen Cc: bind-us...@isc.org Subject: Re: Strange DNS problem On Jun 10 2019, Jukka Pakkanen wrote: >We have a strange problem related to DNS services, maybe someone here >have a clue what could be the problem. […] >An example, the client domain is raimoasikainenoy.fi. Well, there is certainly something wrong with ns.datatower.fi [193.184.54.212], as it consistently returns server cookies that bear no relationship to the client cookie sent in the query, and in fact I get *exactly* the same one as you report: >; <<>> DiG 9.14.2 <<>> @193.184.54.212 raimoasikainenoy.fi ns ; (1 >server found) ;; global options: +cmd ;; Got answer: >;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14591 ;; flags: qr >aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 3 ;; WARNING: >recursion requested but not available > >;; OPT PSEUDOSECTION: >; EDNS: version: 0, flags:; udp: 4096 >; COOKIE: a0ff0c014f65b471e0b8b271e7bab2718129c071 (bad) every time! (Use +qr to show the client cookie sent by dig.) I expect you could work around this by specifying server 193.184.54.212 { send-cookie no; }; in your named.conf, but it seems to me that BIND 9.14 ought to be able to fall back on using ns.kpk.fi [192.130.183.74] which doesn't have this server cookie problem. -- Chris Thompson Email: c...@cam.ac.uk Then, unfortunately our nameservers won't resolve ns.kpk.fi either. So even if the fall back works, as I suppose it does, it does not help here. ; <<>> DiG 9.14.2 <<>> @ns1.qnet.fi ns.kpk.fi ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 64299 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: 5fdcace005523ca0f1b0c9c95cfe96f17497773ef05635e1 (good) ;; QUESTION SECTION: ;ns.kpk.fi. IN A ;; Query time: 0 msec ;; SERVER: 62.142.220.5#53(62.142.220.5) ;; WHEN: Mon Jun 10 20:44:17 FLE Daylight Time 2019 ;; MSG SIZE rcvd: 66 And again when inquiring directly with the IP of ns.kpk.fi, we do get an answer: ; <<>> DiG 9.14.2 <<>> @192.130.183.74 ns.kpk.fi ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50365 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: ef9a3009864a202e5dfe5cfe9648adfe8be2561def4d (good) ;; QUESTION SECTION: ;ns.kpk.fi. IN A ;; ANSWER SECTION: ns.kpk.fi. 600 IN A 192.130.183.74 ;; Query time: 31 msec ;; SERVER: 192.130.183.74#53(192.130.183.74) ;; WHEN: Mon Jun 10 20:45:48 FLE Daylight Time 2019 ;; MSG SIZE rcvd: 82 Jukka ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Strange DNS problem
On Jun 10 2019, Jukka Pakkanen wrote: We have a strange problem related to DNS services, maybe someone here have a clue what could be the problem. […] An example, the client domain is raimoasikainenoy.fi. Well, there is certainly something wrong with ns.datatower.fi [193.184.54.212], as it consistently returns server cookies that bear no relationship to the client cookie sent in the query, and in fact I get *exactly* the same one as you report: ; <<>> DiG 9.14.2 <<>> @193.184.54.212 raimoasikainenoy.fi ns ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14591 ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 3 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: a0ff0c014f65b471e0b8b271e7bab2718129c071 (bad) every time! (Use +qr to show the client cookie sent by dig.) I expect you could work around this by specifying server 193.184.54.212 { send-cookie no; }; in your named.conf, but it seems to me that BIND 9.14 ought to be able to fall back on using ns.kpk.fi [192.130.183.74] which doesn't have this server cookie problem. -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Strange DNS problem
On Mon, Jun 10, 2019 at 02:28:46PM +, Jukka Pakkanen wrote a message of 382 lines which said: > An example, the client domain is raimoasikainenoy.fi. dig clearly says it's a cookie issue: % dig @193.184.54.212 NS raimoasikainenoy.fi ;; Warning: Client COOKIE mismatch An DNSviz confirms: http://dnsviz.net/d/raimoasikainenoy.fi/dnssec/ Your tests show that it fails only when you use cookies, which is consistent with the above: > ; <<>> DiG 9.14.2 <<>> @ns1.qnet.fi raimoasikainenoy.fi ns ... > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 4096 > ; COOKIE: 55ba199a6d905273458bc2065cfe655462f150936d882603 (good) > ; <<>> DiG 9.14.2 <<>> @8.8.8.8 raimoasikainenoy.fi ns ... > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 512 (Bad Google, no cookies) So, they have broken authoritative name servers. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users