Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.protocols.dns.bind > #15721
| Path | csiph.com!newsfeed.xs4all.nl!newsfeed7.news.xs4all.nl!news.uzoreto.com!news.etla.org!nntp-feed.chiark.greenend.org.uk!ewrotcd!usenet-its.stanford.edu!usenet.stanford.edu!not-for-mail |
|---|---|
| From | Mark Andrews <marka@isc.org> |
| Newsgroups | comp.protocols.dns.bind |
| Subject | Re: Increase in retry and timeout errors post 9.9.4 -> 9.11.4 upgrade |
| Date | Mon, 4 May 2020 12:13:16 +1000 |
| Lines | 60 |
| Approved | bind-users@lists.isc.org |
| Message-ID | <mailman.349.1588558392.942.bind-users@lists.isc.org> (permalink) |
| References | <4e5da101ab2e467e9312e0b89a388d84@tripadvisor.com> <DE0C14B8-0F9A-49FC-B790-D6D514BB610F@isc.org> |
| NNTP-Posting-Host | lists.isc.org |
| Mime-Version | 1.0 (Mac OS X Mail 11.5 \(3445.9.5\)) |
| Content-Type | text/plain; charset=utf-8 |
| Content-Transfer-Encoding | quoted-printable |
| X-Trace | usenet.stanford.edu 1588558406 22213 149.20.1.60 (4 May 2020 02:13:26 GMT) |
| X-Complaints-To | action@cs.stanford.edu |
| Cc | "bind-users@lists.isc.org" <bind-users@lists.isc.org> |
| To | Gareth Parks <gparks@tripadvisor.com> |
| Return-Path | <marka@isc.org> |
| X-Original-To | bind-users@lists.isc.org |
| Delivered-To | bind-users@lists.isc.org |
| In-Reply-To | <4e5da101ab2e467e9312e0b89a388d84@tripadvisor.com> |
| X-Mailer | Apple Mail (2.3445.9.5) |
| X-BeenThere | bind-users@lists.isc.org |
| X-Mailman-Version | 2.1.29 |
| Precedence | list |
| List-Id | BIND Users Mailing List <bind-users.lists.isc.org> |
| List-Unsubscribe | <https://lists.isc.org/mailman/options/bind-users>, <mailto:bind-users-request@lists.isc.org?subject=unsubscribe> |
| List-Archive | <https://lists.isc.org/pipermail/bind-users/> |
| List-Post | <mailto:bind-users@lists.isc.org> |
| List-Help | <mailto:bind-users-request@lists.isc.org?subject=help> |
| List-Subscribe | <https://lists.isc.org/mailman/listinfo/bind-users>, <mailto:bind-users-request@lists.isc.org?subject=subscribe> |
| X-Mailman-Original-Message-ID | <DE0C14B8-0F9A-49FC-B790-D6D514BB610F@isc.org> |
| X-Mailman-Original-References | <4e5da101ab2e467e9312e0b89a388d84@tripadvisor.com> |
| Xref | csiph.com comp.protocols.dns.bind:15721 |
Show key headers only | View raw
Well BIND 9.11+ supports DNS COOKIE by default and there are some servers that mishandle EDNS requests with a DNS COOKIE option present. Unknown EDNS options are supposed to be ignored, but there are servers/firewalls that just drop such queries. Others return FORMERR, others return NXDOMAIN when there is a answer w/o the option being present, others echo unknown options, and others still send back a DNS COOKIE response but fail to correctly copy the client cookie part to the response.
https://ednscomp.isc.org/compliance/ts/govfull.optfail.html show how servers for .GOV zone behave when presented with a unknown EDNS option. Other datasets are similar.
You can use "server <prefix> { send-cookie no; };” to work around known broken servers.
Mark
> On 4 May 2020, at 11:21, Gareth Parks <gparks@tripadvisor.com> wrote:
>
> Hi,
>
> I have three centos 7 servers running bind acting as internal resolvers. There was an update released that upgrades them from 0:9.9.4-74.el7_6.2 to 32:9.11.4-16.P2.el7_8.2. On performing this upgrade to one of the servers there has been a notable increase in retry and timeout errors as measured by data collected from the statistics channel. Where previously the number of errors for retry and timeouts was < 10/2 minutes I now regularly see spikes > 50/2 minutes and the error levels have remained consistent on the other two servers. When I downgrade the server back to 9.9.4 the error rate drops as well.
>
> I increased the log level for the query-errors log and observed the number of entries between the upgraded and non-upgraded servers were about the same so there doesn't appear to be an increase in errors.
>
> I'm not sure whether the issue is that I'm not looking in the correct place to identify the source of retries/timeouts or the other possibility that occurred to me is that there might have been a change between the two versions for what data is represented by those retry/timeout counters and the increased rate is not a problem but just representing different information.
>
> Gareth
>
> <OutlookEmoji-signature_2340144644a600368-9f8b-4dd9-9094-d4611542cbcc.png>_______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
Back to comp.protocols.dns.bind | Previous | Next | Find similar | Unroll thread
Re: Increase in retry and timeout errors post 9.9.4 -> 9.11.4 upgrade Mark Andrews <marka@isc.org> - 2020-05-04 12:13 +1000
csiph-web