[dns-operations] DNS Cookies and unknown EDNS option handling

Doug Barton dougb at dougbarton.us
Tue Nov 25 22:36:32 UTC 2014


Something like OARC's reply size test would be great! I use that with 
customers all the time, it really cuts through the "Of COURSE the 
problem is not on my side!" argument. :)

Doug


On 11/25/14 1:34 PM, Simon Munton wrote:
> If you're feeling brave a WebUI to a conformance test would be nice
>
> ditto "Handling of unknown EDNS versions"
>
>
>
> On 24/11/14 23:19, Mark Andrews wrote:
>>
>> We are looking to deploy DNS Cookies or SIT soon and the handling
>> of unknown EDNS options is atrocious.
>>
>>     http://users.isc.org/~marka/ts/gov.optfail.html
>>
>> Unknown EDNS options are supposed to be ignored. See RFC6891, 6.1.2
>> Wire Format.
>>
>>     They should not generate FORMERR.
>>     They should not generate BADVERS.
>>     They should not be echoed back.
>>     They should be responded to.
>>
>> We are seeing all of the above mis-behaviours when testing.
>>
>> FORMERR often results in responses that are indistigishable from not
>> supporting EDNS at all.  See ednsopt and edns1opt.
>>
>> leighton.com.au. @202.93.248.33 (ns2.infoplex.com.au.): dns=ok
>> edns=formerr,nosoa edns1=formerr,version edns at 512=formerr
>> ednsopt=formerr,echoed,nosoa edns1opt=formerr,version,echoed
>> do=formerr,nosoa ednsflags=formerr,mbz,nosoa
>>
>> suncorpbank.com.au. @203.0.222.71 (pbnedns2002.suncorpmetway.com.au.):
>> dns=ok edns=ok edns1=ok edns at 512=ok ednsopt=formerr,echoed,nosoa
>> edns1opt=formerr,version,echoed do=ok ednsflags=ok
>>
>> version = no opt record or wrong version in response
>> echoed = the option was echoed back
>>
>> If you are a vendor and you nominally support EDNS can you please
>> check your software to ensure that it correctly handles unknown
>> EDNS options.
>>
>> Mark





More information about the dns-operations mailing list