[dns-operations] DNS Cookies and unknown EDNS option handling

Mark Andrews marka at isc.org
Mon Nov 24 23:19:42 UTC 2014


We are looking to deploy DNS Cookies or SIT soon and the handling
of unknown EDNS options is atrocious.

	http://users.isc.org/~marka/ts/gov.optfail.html

Unknown EDNS options are supposed to be ignored. See RFC6891, 6.1.2
Wire Format.

	They should not generate FORMERR.
	They should not generate BADVERS.
	They should not be echoed back.
	They should be responded to.

We are seeing all of the above mis-behaviours when testing.

FORMERR often results in responses that are indistigishable from not
supporting EDNS at all.  See ednsopt and edns1opt.

leighton.com.au. @202.93.248.33 (ns2.infoplex.com.au.): dns=ok edns=formerr,nosoa edns1=formerr,version edns at 512=formerr ednsopt=formerr,echoed,nosoa edns1opt=formerr,version,echoed do=formerr,nosoa ednsflags=formerr,mbz,nosoa

suncorpbank.com.au. @203.0.222.71 (pbnedns2002.suncorpmetway.com.au.): dns=ok edns=ok edns1=ok edns at 512=ok ednsopt=formerr,echoed,nosoa edns1opt=formerr,version,echoed do=ok ednsflags=ok

version = no opt record or wrong version in response
echoed = the option was echoed back

If you are a vendor and you nominally support EDNS can you please
check your software to ensure that it correctly handles unknown
EDNS options.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE:	+61 2 9871 4742		         INTERNET: marka at isc.org



More information about the dns-operations mailing list