[dns-operations] DNS Cookies and unknown EDNS option handling
Mark Andrews
marka at isc.org
Tue Nov 25 22:46:07 UTC 2014
In message <5474F5FD.3020702 at cdns.net>, Simon Munton writes:
> If you're feeling brave a WebUI to a conformance test would be nice
>
> ditto "Handling of unknown EDNS versions"
I suspect it would be better to build this sort of checking into
the existing delegation checking sites.
For explict EDNS checking I suspect it would be better done on a
vendor neutral site.
Have infrastructure zones run the checks on all the delegated to
nameservers and report ones which fail to comply. There really is
no reason to stand up a server which is not RFC compliant. This
is also something that tends to stay fixed once it is fixed.
Run the checks quarterly. For the sites that I've reported issues
to it take between 1-2 months to get a fix in place.
I actually do 8 queries per <zone,address> tuple then examine the
results.
# run the digs in parallel so that we don't have sequential timeouts.
$dig +noedns +noad +norec soa -q "$zone" @$server > $wd/plain &
$dig +edns +noad +norec soa -q "$zone" @$server > $wd/edns &
$dig +edns=1 +noad +norec soa -q "$zone" @$server > $wd/edns1 &
$dig +edns +dnssec +bufsize=512 +noad +norec +ignore dnskey -q "$zone" @$server > $wd/edns512 &
$dig +ednsopt=100 +noad +norec soa -q "$zone" @$server > $wd/ednsopt &
$dig +ednsopt=100 +edns=1 +noad +norec soa -q "$zone" @$server > $wd/edns1opt &
$dig +dnssec +noad +norec soa -q "$zone" @$server > $wd/dnssec &
$dig +ednsflags=0x80 +noad +norec soa -q "$zone" @$server > $wd/ednsflags &
$dig +edns +dnssec +bufsize=512 +noad +norec +vc dnskey -q "$zone" @$server > $wd/edns512tcp &
wait
and end up with something like this
% echo . a.root-servers.net | sh genreport
. @198.41.0.4 (a.root-servers.net): dns=ok edns=ok edns1=ok edns at 512=ok ednsopt=ok edns1opt=ok do=ok ednsflags=ok
. @2001:503:ba3e::2:30 (a.root-servers.net): dns=ok edns=ok edns1=ok edns at 512=ok ednsopt=ok edns1opt=ok do=ok ednsflags=ok
%
or this where there is a firewall blocking EDNS version 1 queries
and EDNS queries with a EDNS flag bit set. Yes the server *is*
EDNS aware. It just doesn't return a EDNS response unless DO=1 is
also set. The two "=ok" responses had the DO=1 set in the query.
One to two days ago this was a non-EDNS aware server. It's good
to see a DNS hoster turn on EDNS, now to get the implementation
fixed and the firewall fixed.
% echo styletread.com.au ns3.easyclouddns.net | sh genreport
styletread.com.au @203.55.142.22 (ns3.easyclouddns.net): dns=ok edns=version edns1=timeout edns at 512=ok ednsopt=version edns1opt=timeout do=ok ednsflags=timeout
%
>From this testing window 2014-11-23T00:00:05Z -- 2014-11-24T22:11:27Z
styletread.com.au. @203.55.142.22 (ns3.easyclouddns.net.): dns=ok edns=version edns1=timeout edns at 512=version ednsopt=version edns1opt=timeout do=version ednsflags=timeout
which shows a non-EDNS aware server behind a firewall blocking
EDNS(1) queries and queries with EDNS flag bits set.
Normally I'm feeding a whole stream of queries into the script.
While I'd like everyone to deploy EDNS what I want to see fixed are
the broken firewall and EDNS implementations.
Mark
> On 24/11/14 23:19, Mark Andrews wrote:
> >
> > We are looking to deploy DNS Cookies or SIT soon and the handling
> > of unknown EDNS options is atrocious.
> >
> > http://users.isc.org/~marka/ts/gov.optfail.html
> >
> > Unknown EDNS options are supposed to be ignored. See RFC6891, 6.1.2
> > Wire Format.
> >
> > They should not generate FORMERR.
> > They should not generate BADVERS.
> > They should not be echoed back.
> > They should be responded to.
> >
> > We are seeing all of the above mis-behaviours when testing.
> >
> > FORMERR often results in responses that are indistigishable from not
> > supporting EDNS at all. See ednsopt and edns1opt.
> >
> > leighton.com.au. @202.93.248.33 (ns2.infoplex.com.au.): dns=ok edns=formerr,nosoa edns1=formerr,version edns at 512=former
> r ednsopt=formerr,echoed,nosoa edns1opt=formerr,version,echoed do=formerr,nosoa ednsflags=formerr,mbz,nosoa
> >
> > suncorpbank.com.au. @203.0.222.71 (pbnedns2002.suncorpmetway.com.au.): dns=ok edns=ok edns1=ok edns at 512=ok ednsopt=form
> err,echoed,nosoa edns1opt=formerr,version,echoed do=ok ednsflags=ok
> >
> > version = no opt record or wrong version in response
> > echoed = the option was echoed back
> >
> > If you are a vendor and you nominally support EDNS can you please
> > check your software to ensure that it correctly handles unknown
> > EDNS options.
> >
> > Mark
> >
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the dns-operations
mailing list