[dns-operations] DNS Cookies and unknown EDNS option handling
Mark Andrews
marka at isc.org
Mon Nov 24 23:19:42 UTC 2014
We are looking to deploy DNS Cookies or SIT soon and the handling
of unknown EDNS options is atrocious.
http://users.isc.org/~marka/ts/gov.optfail.html
Unknown EDNS options are supposed to be ignored. See RFC6891, 6.1.2
Wire Format.
They should not generate FORMERR.
They should not generate BADVERS.
They should not be echoed back.
They should be responded to.
We are seeing all of the above mis-behaviours when testing.
FORMERR often results in responses that are indistigishable from not
supporting EDNS at all. See ednsopt and edns1opt.
leighton.com.au. @202.93.248.33 (ns2.infoplex.com.au.): dns=ok edns=formerr,nosoa edns1=formerr,version edns at 512=formerr ednsopt=formerr,echoed,nosoa edns1opt=formerr,version,echoed do=formerr,nosoa ednsflags=formerr,mbz,nosoa
suncorpbank.com.au. @203.0.222.71 (pbnedns2002.suncorpmetway.com.au.): dns=ok edns=ok edns1=ok edns at 512=ok ednsopt=formerr,echoed,nosoa edns1opt=formerr,version,echoed do=ok ednsflags=ok
version = no opt record or wrong version in response
echoed = the option was echoed back
If you are a vendor and you nominally support EDNS can you please
check your software to ensure that it correctly handles unknown
EDNS options.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the dns-operations
mailing list