[nsd-users] Old NSD, new BIND: unexpected RCODE

Hauke Lampe lampe at hauke-lampe.de
Mon May 26 03:57:59 UTC 2014


Hello.

I'm not quite sure what to do with this. I found an incompatibility
between experimental new features in BIND and old versions of NSD.

As this is probably a collision in experimental OPT codes, I expect this
problem to disappear when a new option code is assigned.

BIND 9.10 introduces Source Identity Token (SIT) aka DNS Cookies
(http://www.isc.org/bind-9-10-new-features/).

Currently, SIT uses experimental EDNS OPT 65,001
(http://www.ietf.org/proceedings/89/slides/slides-89-dnsop-7.pdf#7)

If SIT is enabled in a resolver, NSD 2.3.7 refuses queries with RCODE 17
(BADKEY):

> named: fetch: nsd.dnstest.openchaos.org/TXT
> named: 17 unexpected RCODE resolving 'nsd.dnstest.openchaos.org/TXT/IN': 46.37.189.136#53
> named: query failed (SERVFAIL) for nsd.dnstest.openchaos.org/IN/TXT at query.c:7532

That leaves domains served exclusively by NSD 2.x unresolvable. I first
noticed this with "telekom.at" but there are probably more.

NSD 3 and 4 respond correctly, so maybe this could be an opportunity to
update and be compatible with bleeding-edge BIND resolvers :)


Hauke.



More information about the nsd-users mailing list