[nsd-users] Old NSD, new BIND: unexpected RCODE
Hauke Lampe
lampe at hauke-lampe.de
Mon May 26 03:57:59 UTC 2014
Hello.
I'm not quite sure what to do with this. I found an incompatibility
between experimental new features in BIND and old versions of NSD.
As this is probably a collision in experimental OPT codes, I expect this
problem to disappear when a new option code is assigned.
BIND 9.10 introduces Source Identity Token (SIT) aka DNS Cookies
(http://www.isc.org/bind-9-10-new-features/).
Currently, SIT uses experimental EDNS OPT 65,001
(http://www.ietf.org/proceedings/89/slides/slides-89-dnsop-7.pdf#7)
If SIT is enabled in a resolver, NSD 2.3.7 refuses queries with RCODE 17
(BADKEY):
> named: fetch: nsd.dnstest.openchaos.org/TXT
> named: 17 unexpected RCODE resolving 'nsd.dnstest.openchaos.org/TXT/IN': 46.37.189.136#53
> named: query failed (SERVFAIL) for nsd.dnstest.openchaos.org/IN/TXT at query.c:7532
That leaves domains served exclusively by NSD 2.x unresolvable. I first
noticed this with "telekom.at" but there are probably more.
NSD 3 and 4 respond correctly, so maybe this could be an opportunity to
update and be compatible with bleeding-edge BIND resolvers :)
Hauke.
More information about the nsd-users
mailing list