[dns-operations] DNS Cookies and unknown EDNS option handling
Simon Munton
Simon.Munton at cdns.net
Tue Nov 25 21:34:53 UTC 2014
If you're feeling brave a WebUI to a conformance test would be nice
ditto "Handling of unknown EDNS versions"
On 24/11/14 23:19, Mark Andrews wrote:
>
> We are looking to deploy DNS Cookies or SIT soon and the handling
> of unknown EDNS options is atrocious.
>
> http://users.isc.org/~marka/ts/gov.optfail.html
>
> Unknown EDNS options are supposed to be ignored. See RFC6891, 6.1.2
> Wire Format.
>
> They should not generate FORMERR.
> They should not generate BADVERS.
> They should not be echoed back.
> They should be responded to.
>
> We are seeing all of the above mis-behaviours when testing.
>
> FORMERR often results in responses that are indistigishable from not
> supporting EDNS at all. See ednsopt and edns1opt.
>
> leighton.com.au. @202.93.248.33 (ns2.infoplex.com.au.): dns=ok edns=formerr,nosoa edns1=formerr,version edns at 512=formerr ednsopt=formerr,echoed,nosoa edns1opt=formerr,version,echoed do=formerr,nosoa ednsflags=formerr,mbz,nosoa
>
> suncorpbank.com.au. @203.0.222.71 (pbnedns2002.suncorpmetway.com.au.): dns=ok edns=ok edns1=ok edns at 512=ok ednsopt=formerr,echoed,nosoa edns1opt=formerr,version,echoed do=ok ednsflags=ok
>
> version = no opt record or wrong version in response
> echoed = the option was echoed back
>
> If you are a vendor and you nominally support EDNS can you please
> check your software to ensure that it correctly handles unknown
> EDNS options.
>
> Mark
>
More information about the dns-operations
mailing list