[dns-operations] Is this valid edns0 query?

Mark Andrews marka at isc.org
Fri Oct 10 22:10:11 UTC 2014 

20732 is a little small for a experimental option code but the server
should be ignoring it anyway if it doesn't understand it.

Firewalls are just too picky over DNS queries.  It is well formed
it should be passed.  Let the nameserver behind deal with it.  About
5-6% of nameserver / firewall combinations get this wrong.  There
are well defined behaviours specified in RFC 6891 for how to handle
unknown EDNS options, versions and flags.  The firewall doesn't
need to scrub queries setting any of these.

If your nameserver / firewall is not doing the right thing then
you need to FIX IT!

I'm going to be talking about EDNS compliance at IETF but if you
want to see some pretty graphs http://users.isc.org/~marka/ts.html.

Look for the Firewalls by Type graphs.

The kinks in the AU graphs at the end are due to the graphs being
done on partial datasets.  The run takes a little over 24 hour to
complete and the properties are not uniform over the dataset so
disregard the last data point.

Mark


In message <CAEU_gmeZ8JCgw8adKiR8CDp0ackiVvFwuyvY1rpv4JKD9DtHhw at mail.gmail.com>
, Mohamed Lrhazi writes:
> --===============6806851822810879355==
> Content-Type: multipart/alternative; boundary=001a1134e054e208f305051714c1
> 
> --001a1134e054e208f305051714c1
> Content-Type: text/plain; charset=UTF-8
> Content-Transfer-Encoding: quoted-printable
> 
> F5 are asking me for time to debug.. while Google is saying "All our
> appliances do this, nobody else is complaining...".. Just saying, I prefer
> the former response so far.
> 
> Thanks,
> Mohamed.
> 
> On Fri, Oct 10, 2014 at 3:20 PM, Jared Mauch <jared at puck.nether.net> wrote:
> 
> >
> > > On Oct 10, 2014, at 2:54 PM, Hugo Salgado <hsalgado at nic.cl> wrote:
> > >
> > >
> > > On 10/10/2014 03:24 PM, Roland Dobbins wrote:
> > >>
> > >> On Oct 11, 2014, at 1:07 AM, Mohamed Lrhazi <
> > Mohamed.Lrhazi at georgetown.edu> wrote:
> > >>
> > >>> The appliance vendor, Google, tells me that edns0 opt code 20732 must
> > be "the service name", whatever that means....
> > >>
> > >> I don't know what that means in the context of a non-SRV query . . .
> > can you turn off the F5's 'malformed DNS query' scrubbing and see what
> > happens?
> > >>
> > >
> > > Well... F5 is known of misbehavior with its aggressive filtering,
> > > even with AAAA records some time ago:
> > >  http://hugo.salga.do/post/50030273426/quad-a-blocking-in-dns
> >
> > I=E2=80=99ve never had success with F5 and DNS packet handling properly g=
> oing all
> > the way back to Nov 1998 timeframe.  One of their engineers was
> > troubleshooting it in our offices of my employer at the time and ended up
> > upset and saying =E2=80=9Cwhy doesn=E2=80=99t this work=E2=80=9D when it =
> was broken vs being able
> > to properly triage it.
> >
> > I=E2=80=99m expecting someone from F5 to email me because at the time whe=
> n I
> > posted about the issue on NANOG they were aggressive in trying to defend =
> a
> > public view of their product and legitimate technical problems.
> >
> > - Jared
> > _______________________________________________
> > dns-operations mailing list
> > dns-operations at lists.dns-oarc.net
> > https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> > dns-jobs mailing list
> > https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
> >
> 
> --001a1134e054e208f305051714c1
> Content-Type: text/html; charset=UTF-8
> Content-Transfer-Encoding: quoted-printable
> 
> <div dir=3D"ltr">F5 are asking me for time to debug.. while Google is sayin=
> g "All our appliances do this, nobody else is complaining...".. J=
> ust saying, I prefer the former response so far.<div><br></div><div>Thanks,=
> </div><div>Mohamed.</div></div><div class=3D"gmail_extra"><br><div class=3D=
> "gmail_quote">On Fri, Oct 10, 2014 at 3:20 PM, Jared Mauch <span dir=3D"ltr=
> "><<a href=3D"mailto:jared at puck.nether.net" target=3D"_blank">jared at puck=
> .nether.net</a>></span> wrote:<br><blockquote class=3D"gmail_quote" styl=
> e=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span c=
> lass=3D""><br>
> > On Oct 10, 2014, at 2:54 PM, Hugo Salgado <<a href=3D"mailto:hsalga=
> do at nic.cl">hsalgado at nic.cl</a>> wrote:<br>
> ><br>
> ><br>
> > On 10/10/2014 03:24 PM, Roland Dobbins wrote:<br>
> >><br>
> >> On Oct 11, 2014, at 1:07 AM, Mohamed Lrhazi <<a href=3D"mailto:=
> Mohamed.Lrhazi at georgetown.edu">Mohamed.Lrhazi at georgetown.edu</a>> wrote:=
> <br>
> >><br>
> >>> The appliance vendor, Google, tells me that edns0 opt code 207=
> 32 must be "the service name", whatever that means....<br>
> >><br>
> >> I don't know what that means in the context of a non-SRV query=
>  . . . can you turn off the F5's 'malformed DNS query' scrubbin=
> g and see what happens?<br>
> >><br>
> ><br>
> > Well... F5 is known of misbehavior with its aggressive filtering,<br>
> > even with AAAA records some time ago:<br>
> >=C2=A0 <a href=3D"http://hugo.salga.do/post/50030273426/quad-a-blocking=
> -in-dns" target=3D"_blank">http://hugo.salga.do/post/50030273426/quad-a-blo=
> cking-in-dns</a><br>
> <br>
> </span>I=E2=80=99ve never had success with F5 and DNS packet handling prope=
> rly going all the way back to Nov 1998 timeframe.=C2=A0 One of their engine=
> ers was troubleshooting it in our offices of my employer at the time and en=
> ded up upset and saying =E2=80=9Cwhy doesn=E2=80=99t this work=E2=80=9D whe=
> n it was broken vs being able to properly triage it.<br>
> <br>
> I=E2=80=99m expecting someone from F5 to email me because at the time when =
> I posted about the issue on NANOG they were aggressive in trying to defend =
> a public view of their product and legitimate technical problems.<br>
> <span class=3D"HOEnZb"><font color=3D"#888888"><br>
> - Jared<br>
> </font></span><div class=3D"HOEnZb"><div class=3D"h5">_____________________=
> __________________________<br>
> dns-operations mailing list<br>
> <a href=3D"mailto:dns-operations at lists.dns-oarc.net">dns-operations at lists.d=
> ns-oarc.net</a><br>
> <a href=3D"https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs" target=3D"_blank">https://lists.dns-oarc.net/mailman/listinfo/dns=
> -operations<br>
> dns-jobs</a> mailing list<br>
> <a href=3D"https://lists.dns-oarc.net/mailman/listinfo/dns-jobs" target=3D"=
> _blank">https://lists.dns-oarc.net/mailman/listinfo/dns-jobs</a></div></div=
> ></blockquote></div><br></div>
> 
> --001a1134e054e208f305051714c1--
> 
> --===============6806851822810879355==
> Content-Type: text/plain; charset="us-ascii"
> MIME-Version: 1.0
> Content-Transfer-Encoding: 7bit
> Content-Disposition: inline
> 
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
> --===============6806851822810879355==--
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the dns-operations mailing list