<div dir="ltr">Thanks Mark. Where do I get the dig with +ednsopt ?<div><br></div><div><div>root@5df5dd95aeae:/# dig -v</div><div>DiG 9.10.1</div><div>root@5df5dd95aeae:/# dig -h|grep edns</div><div> +subnet=addr (Set edns-client-subnet option)</div><div> +[no]edns[=###] (Set EDNS version) [0]</div><div>root@5df5dd95aeae:/# </div></div><div><div>root@5df5dd95aeae:/# dig +ednsopt=100 </div><div>Invalid option: +ednsopt=100</div></div><div><br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Oct 10, 2014 at 6:10 PM, Mark Andrews <span dir="ltr"><<a href="mailto:marka@isc.org" target="_blank">marka@isc.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br>
20732 is a little small for a experimental option code but the server<br>
should be ignoring it anyway if it doesn't understand it.<br>
<br>
Firewalls are just too picky over DNS queries. It is well formed<br>
it should be passed. Let the nameserver behind deal with it. About<br>
5-6% of nameserver / firewall combinations get this wrong. There<br>
are well defined behaviours specified in RFC 6891 for how to handle<br>
unknown EDNS options, versions and flags. The firewall doesn't<br>
need to scrub queries setting any of these.<br>
<br>
If your nameserver / firewall is not doing the right thing then<br>
you need to FIX IT!<br>
<br>
I'm going to be talking about EDNS compliance at IETF but if you<br>
want to see some pretty graphs <a href="http://users.isc.org/~marka/ts.html" target="_blank">http://users.isc.org/~marka/ts.html</a>.<br>
<br>
Look for the Firewalls by Type graphs.<br>
<br>
The kinks in the AU graphs at the end are due to the graphs being<br>
done on partial datasets. The run takes a little over 24 hour to<br>
complete and the properties are not uniform over the dataset so<br>
disregard the last data point.<br>
<br>
Mark<br>
<br>
<br>
In message <<a href="mailto:CAEU_gmeZ8JCgw8adKiR8CDp0ackiVvFwuyvY1rpv4JKD9DtHhw@mail.gmail.com">CAEU_gmeZ8JCgw8adKiR8CDp0ackiVvFwuyvY1rpv4JKD9DtHhw@mail.gmail.com</a>><br>
, Mohamed Lrhazi writes:<br>
> --===============6806851822810879355==<br>
> Content-Type: multipart/alternative; boundary=001a1134e054e208f305051714c1<br>
><br>
> --001a1134e054e208f305051714c1<br>
> Content-Type: text/plain; charset=UTF-8<br>
> Content-Transfer-Encoding: quoted-printable<br>
<span class="">><br>
> F5 are asking me for time to debug.. while Google is saying "All our<br>
> appliances do this, nobody else is complaining...".. Just saying, I prefer<br>
> the former response so far.<br>
><br>
> Thanks,<br>
> Mohamed.<br>
><br>
> On Fri, Oct 10, 2014 at 3:20 PM, Jared Mauch <<a href="mailto:jared@puck.nether.net">jared@puck.nether.net</a>> wrote:<br>
><br>
> ><br>
> > > On Oct 10, 2014, at 2:54 PM, Hugo Salgado <<a href="mailto:hsalgado@nic.cl">hsalgado@nic.cl</a>> wrote:<br>
> > ><br>
> > ><br>
> > > On 10/10/2014 03:24 PM, Roland Dobbins wrote:<br>
> > >><br>
> > >> On Oct 11, 2014, at 1:07 AM, Mohamed Lrhazi <<br>
> > <a href="mailto:Mohamed.Lrhazi@georgetown.edu">Mohamed.Lrhazi@georgetown.edu</a>> wrote:<br>
> > >><br>
> > >>> The appliance vendor, Google, tells me that edns0 opt code 20732 must<br>
> > be "the service name", whatever that means....<br>
> > >><br>
> > >> I don't know what that means in the context of a non-SRV query . . .<br>
> > can you turn off the F5's 'malformed DNS query' scrubbing and see what<br>
> > happens?<br>
> > >><br>
> > ><br>
> > > Well... F5 is known of misbehavior with its aggressive filtering,<br>
> > > even with AAAA records some time ago:<br>
> > > <a href="http://hugo.salga.do/post/50030273426/quad-a-blocking-in-dns" target="_blank">http://hugo.salga.do/post/50030273426/quad-a-blocking-in-dns</a><br>
> ><br>
</span>> > I=E2=80=99ve never had success with F5 and DNS packet handling properly g=<br>
<span class="">> oing all<br>
> > the way back to Nov 1998 timeframe. One of their engineers was<br>
> > troubleshooting it in our offices of my employer at the time and ended up<br>
</span>> > upset and saying =E2=80=9Cwhy doesn=E2=80=99t this work=E2=80=9D when it =<br>
<span class="">> was broken vs being able<br>
> > to properly triage it.<br>
> ><br>
</span>> > I=E2=80=99m expecting someone from F5 to email me because at the time whe=<br>
> n I<br>
> > posted about the issue on NANOG they were aggressive in trying to defend =<br>
<span class="">> a<br>
> > public view of their product and legitimate technical problems.<br>
> ><br>
> > - Jared<br>
> > _______________________________________________<br>
> > dns-operations mailing list<br>
> > <a href="mailto:dns-operations@lists.dns-oarc.net">dns-operations@lists.dns-oarc.net</a><br>
> > <a href="https://lists.dns-oarc.net/mailman/listinfo/dns-operations" target="_blank">https://lists.dns-oarc.net/mailman/listinfo/dns-operations</a><br>
> > dns-jobs mailing list<br>
> > <a href="https://lists.dns-oarc.net/mailman/listinfo/dns-jobs" target="_blank">https://lists.dns-oarc.net/mailman/listinfo/dns-jobs</a><br>
> ><br>
><br>
</span>> --001a1134e054e208f305051714c1<br>
> Content-Type: text/html; charset=UTF-8<br>
> Content-Transfer-Encoding: quoted-printable<br>
><br>
> <div dir=3D"ltr">F5 are asking me for time to debug.. while Google is sayin=<br>
> g "All our appliances do this, nobody else is complaining...".. J=<br>
> ust saying, I prefer the former response so far.<div><br></div><div>Thanks,=<br>
> </div><div>Mohamed.</div></div><div class=3D"gmail_extra"><br><div class=3D=<br>
> "gmail_quote">On Fri, Oct 10, 2014 at 3:20 PM, Jared Mauch <span dir=3D"ltr=<br>
> "><<a href=3D"mailto:<a href="mailto:jared@puck.nether.net">jared@puck.nether.net</a>" target=3D"_blank">jared@puck=<br>
> .<a href="http://nether.net" target="_blank">nether.net</a></a>></span> wrote:<br><blockquote class=3D"gmail_quote" styl=<br>
> e=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span c=<br>
> lass=3D""><br><br>
> > On Oct 10, 2014, at 2:54 PM, Hugo Salgado <<a href=3D"mailto:<a href="mailto:hsalga">hsalga</a>=<br>
> <a href="mailto:do@nic.cl">do@nic.cl</a>"><a href="mailto:hsalgado@nic.cl">hsalgado@nic.cl</a></a>> wrote:<br><br>
> ><br><br>
> ><br><br>
> > On 10/10/2014 03:24 PM, Roland Dobbins wrote:<br><br>
> >><br><br>
> >> On Oct 11, 2014, at 1:07 AM, Mohamed Lrhazi <<a href=3D"mailto:=<br>
> <a href="mailto:Mohamed.Lrhazi@georgetown.edu">Mohamed.Lrhazi@georgetown.edu</a>"><a href="mailto:Mohamed.Lrhazi@georgetown.edu">Mohamed.Lrhazi@georgetown.edu</a></a>> wrote:=<br>
> <br><br>
> >><br><br>
> >>> The appliance vendor, Google, tells me that edns0 opt code 207=<br>
> 32 must be "the service name", whatever that means....<br><br>
> >><br><br>
> >> I don't know what that means in the context of a non-SRV query=<br>
> . . . can you turn off the F5's 'malformed DNS query' scrubbin=<br>
> g and see what happens?<br><br>
> >><br><br>
> ><br><br>
> > Well... F5 is known of misbehavior with its aggressive filtering,<br><br>
> > even with AAAA records some time ago:<br><br>
> >=C2=A0 <a href=3D"<a href="http://hugo.salga.do/post/50030273426/quad-a-blocking=" target="_blank">http://hugo.salga.do/post/50030273426/quad-a-blocking=</a><br>
> -in-dns" target=3D"_blank"><a href="http://hugo.salga.do/post/50030273426/quad-a-blo=" target="_blank">http://hugo.salga.do/post/50030273426/quad-a-blo=</a><br>
> cking-in-dns</a><br><br>
> <br><br>
> </span>I=E2=80=99ve never had success with F5 and DNS packet handling prope=<br>
> rly going all the way back to Nov 1998 timeframe.=C2=A0 One of their engine=<br>
> ers was troubleshooting it in our offices of my employer at the time and en=<br>
> ded up upset and saying =E2=80=9Cwhy doesn=E2=80=99t this work=E2=80=9D whe=<br>
> n it was broken vs being able to properly triage it.<br><br>
> <br><br>
> I=E2=80=99m expecting someone from F5 to email me because at the time when =<br>
> I posted about the issue on NANOG they were aggressive in trying to defend =<br>
> a public view of their product and legitimate technical problems.<br><br>
> <span class=3D"HOEnZb"><font color=3D"#888888"><br><br>
> - Jared<br><br>
> </font></span><div class=3D"HOEnZb"><div class=3D"h5">_____________________=<br>
> __________________________<br><br>
> dns-operations mailing list<br><br>
> <a href=3D"mailto:<a href="mailto:dns-operations@lists.dns-oarc.net">dns-operations@lists.dns-oarc.net</a>">dns-operations@lists.d=<br>
> <a href="http://ns-oarc.net" target="_blank">ns-oarc.net</a></a><br><br>
> <a href=3D"<a href="https://lists.dns-oarc.net/mailman/listinfo/dns-operations" target="_blank">https://lists.dns-oarc.net/mailman/listinfo/dns-operations</a><br>
> dns-jobs" target=3D"_blank"><a href="https://lists.dns-oarc.net/mailman/listinfo/dns=" target="_blank">https://lists.dns-oarc.net/mailman/listinfo/dns=</a><br>
> -operations<br><br>
> dns-jobs</a> mailing list<br><br>
> <a href=3D"<a href="https://lists.dns-oarc.net/mailman/listinfo/dns-jobs" target="_blank">https://lists.dns-oarc.net/mailman/listinfo/dns-jobs</a>" target=3D"=<br>
> _blank"><a href="https://lists.dns-oarc.net/mailman/listinfo/dns-jobs" target="_blank">https://lists.dns-oarc.net/mailman/listinfo/dns-jobs</a></a></div></div=<br>
> ></blockquote></div><br></div><br>
><br>
> --001a1134e054e208f305051714c1--<br>
><br>
> --===============6806851822810879355==<br>
> Content-Type: text/plain; charset="us-ascii"<br>
> MIME-Version: 1.0<br>
> Content-Transfer-Encoding: 7bit<br>
> Content-Disposition: inline<br>
<span class="">><br>
> _______________________________________________<br>
> dns-operations mailing list<br>
> <a href="mailto:dns-operations@lists.dns-oarc.net">dns-operations@lists.dns-oarc.net</a><br>
> <a href="https://lists.dns-oarc.net/mailman/listinfo/dns-operations" target="_blank">https://lists.dns-oarc.net/mailman/listinfo/dns-operations</a><br>
> dns-jobs mailing list<br>
> <a href="https://lists.dns-oarc.net/mailman/listinfo/dns-jobs" target="_blank">https://lists.dns-oarc.net/mailman/listinfo/dns-jobs</a><br>
</span>> --===============6806851822810879355==--<br>
<span class="HOEnZb"><font color="#888888">--<br>
Mark Andrews, ISC<br>
1 Seymour St., Dundas Valley, NSW 2117, Australia<br>
PHONE: <a href="tel:%2B61%202%209871%204742" value="+61298714742">+61 2 9871 4742</a> INTERNET: <a href="mailto:marka@isc.org">marka@isc.org</a><br>
</font></span></blockquote></div><br></div>