[dns-operations] Is this valid edns0 query?

Mohamed Lrhazi Mohamed.Lrhazi at georgetown.edu
Sat Oct 11 05:14:15 UTC 2014


Thanks Mark. Where do I get the dig with +ednsopt ?

root at 5df5dd95aeae:/# dig -v
DiG 9.10.1
root at 5df5dd95aeae:/# dig -h|grep edns
                 +subnet=addr        (Set edns-client-subnet option)
                 +[no]edns[=###]     (Set EDNS version) [0]
root at 5df5dd95aeae:/#
root at 5df5dd95aeae:/# dig +ednsopt=100
Invalid option: +ednsopt=100



On Fri, Oct 10, 2014 at 6:10 PM, Mark Andrews <marka at isc.org> wrote:

>
> 20732 is a little small for a experimental option code but the server
> should be ignoring it anyway if it doesn't understand it.
>
> Firewalls are just too picky over DNS queries.  It is well formed
> it should be passed.  Let the nameserver behind deal with it.  About
> 5-6% of nameserver / firewall combinations get this wrong.  There
> are well defined behaviours specified in RFC 6891 for how to handle
> unknown EDNS options, versions and flags.  The firewall doesn't
> need to scrub queries setting any of these.
>
> If your nameserver / firewall is not doing the right thing then
> you need to FIX IT!
>
> I'm going to be talking about EDNS compliance at IETF but if you
> want to see some pretty graphs http://users.isc.org/~marka/ts.html.
>
> Look for the Firewalls by Type graphs.
>
> The kinks in the AU graphs at the end are due to the graphs being
> done on partial datasets.  The run takes a little over 24 hour to
> complete and the properties are not uniform over the dataset so
> disregard the last data point.
>
> Mark
>
>
> In message <
> CAEU_gmeZ8JCgw8adKiR8CDp0ackiVvFwuyvY1rpv4JKD9DtHhw at mail.gmail.com>
> , Mohamed Lrhazi writes:
> > --===============6806851822810879355==
> > Content-Type: multipart/alternative;
> boundary=001a1134e054e208f305051714c1
> >
> > --001a1134e054e208f305051714c1
> > Content-Type: text/plain; charset=UTF-8
> > Content-Transfer-Encoding: quoted-printable
> >
> > F5 are asking me for time to debug.. while Google is saying "All our
> > appliances do this, nobody else is complaining...".. Just saying, I
> prefer
> > the former response so far.
> >
> > Thanks,
> > Mohamed.
> >
> > On Fri, Oct 10, 2014 at 3:20 PM, Jared Mauch <jared at puck.nether.net>
> wrote:
> >
> > >
> > > > On Oct 10, 2014, at 2:54 PM, Hugo Salgado <hsalgado at nic.cl> wrote:
> > > >
> > > >
> > > > On 10/10/2014 03:24 PM, Roland Dobbins wrote:
> > > >>
> > > >> On Oct 11, 2014, at 1:07 AM, Mohamed Lrhazi <
> > > Mohamed.Lrhazi at georgetown.edu> wrote:
> > > >>
> > > >>> The appliance vendor, Google, tells me that edns0 opt code 20732
> must
> > > be "the service name", whatever that means....
> > > >>
> > > >> I don't know what that means in the context of a non-SRV query . . .
> > > can you turn off the F5's 'malformed DNS query' scrubbing and see what
> > > happens?
> > > >>
> > > >
> > > > Well... F5 is known of misbehavior with its aggressive filtering,
> > > > even with AAAA records some time ago:
> > > >  http://hugo.salga.do/post/50030273426/quad-a-blocking-in-dns
> > >
> > > I=E2=80=99ve never had success with F5 and DNS packet handling
> properly g=
> > oing all
> > > the way back to Nov 1998 timeframe.  One of their engineers was
> > > troubleshooting it in our offices of my employer at the time and ended
> up
> > > upset and saying =E2=80=9Cwhy doesn=E2=80=99t this work=E2=80=9D when
> it =
> > was broken vs being able
> > > to properly triage it.
> > >
> > > I=E2=80=99m expecting someone from F5 to email me because at the time
> whe=
> > n I
> > > posted about the issue on NANOG they were aggressive in trying to
> defend =
> > a
> > > public view of their product and legitimate technical problems.
> > >
> > > - Jared
> > > _______________________________________________
> > > dns-operations mailing list
> > > dns-operations at lists.dns-oarc.net
> > > https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> > > dns-jobs mailing list
> > > https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
> > >
> >
> > --001a1134e054e208f305051714c1
> > Content-Type: text/html; charset=UTF-8
> > Content-Transfer-Encoding: quoted-printable
> >
> > <div dir=3D"ltr">F5 are asking me for time to debug.. while Google is
> sayin=
> > g "All our appliances do this, nobody else is
> complaining...".. J=
> > ust saying, I prefer the former response so
> far.<div><br></div><div>Thanks,=
> > </div><div>Mohamed.</div></div><div class=3D"gmail_extra"><br><div
> class=3D=
> > "gmail_quote">On Fri, Oct 10, 2014 at 3:20 PM, Jared Mauch <span
> dir=3D"ltr=
> > "><<a href=3D"mailto:jared at puck.nether.net"
> target=3D"_blank">jared at puck=
> > .nether.net</a>></span> wrote:<br><blockquote class=3D"gmail_quote"
> styl=
> > e=3D"margin:0 0 0 .8ex;border-left:1px #ccc
> solid;padding-left:1ex"><span c=
> > lass=3D""><br>
> > > On Oct 10, 2014, at 2:54 PM, Hugo Salgado <<a href=3D"mailto:
> hsalga=
> > do at nic.cl">hsalgado at nic.cl</a>> wrote:<br>
> > ><br>
> > ><br>
> > > On 10/10/2014 03:24 PM, Roland Dobbins wrote:<br>
> > >><br>
> > >> On Oct 11, 2014, at 1:07 AM, Mohamed Lrhazi <<a
> href=3D"mailto:=
> > Mohamed.Lrhazi at georgetown.edu">Mohamed.Lrhazi at georgetown.edu</a>>
> wrote:=
> > <br>
> > >><br>
> > >>> The appliance vendor, Google, tells me that edns0 opt code
> 207=
> > 32 must be "the service name", whatever that means....<br>
> > >><br>
> > >> I don't know what that means in the context of a non-SRV
> query=
> >  . . . can you turn off the F5's 'malformed DNS query'
> scrubbin=
> > g and see what happens?<br>
> > >><br>
> > ><br>
> > > Well... F5 is known of misbehavior with its aggressive
> filtering,<br>
> > > even with AAAA records some time ago:<br>
> > >=C2=A0 <a href=3D"
> http://hugo.salga.do/post/50030273426/quad-a-blocking=
> > -in-dns" target=3D"_blank">
> http://hugo.salga.do/post/50030273426/quad-a-blo=
> > cking-in-dns</a><br>
> > <br>
> > </span>I=E2=80=99ve never had success with F5 and DNS packet handling
> prope=
> > rly going all the way back to Nov 1998 timeframe.=C2=A0 One of their
> engine=
> > ers was troubleshooting it in our offices of my employer at the time and
> en=
> > ded up upset and saying =E2=80=9Cwhy doesn=E2=80=99t this work=E2=80=9D
> whe=
> > n it was broken vs being able to properly triage it.<br>
> > <br>
> > I=E2=80=99m expecting someone from F5 to email me because at the time
> when =
> > I posted about the issue on NANOG they were aggressive in trying to
> defend =
> > a public view of their product and legitimate technical problems.<br>
> > <span class=3D"HOEnZb"><font color=3D"#888888"><br>
> > - Jared<br>
> > </font></span><div class=3D"HOEnZb"><div
> class=3D"h5">_____________________=
> > __________________________<br>
> > dns-operations mailing list<br>
> > <a href=3D"mailto:dns-operations at lists.dns-oarc.net
> ">dns-operations at lists.d=
> > ns-oarc.net</a><br>
> > <a href=3D"https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> > dns-jobs" target=3D"_blank">
> https://lists.dns-oarc.net/mailman/listinfo/dns=
> > -operations<br>
> > dns-jobs</a> mailing list<br>
> > <a href=3D"https://lists.dns-oarc.net/mailman/listinfo/dns-jobs"
> target=3D"=
> > _blank">https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
> </a></div></div=
> > ></blockquote></div><br></div>
> >
> > --001a1134e054e208f305051714c1--
> >
> > --===============6806851822810879355==
> > Content-Type: text/plain; charset="us-ascii"
> > MIME-Version: 1.0
> > Content-Transfer-Encoding: 7bit
> > Content-Disposition: inline
> >
> > _______________________________________________
> > dns-operations mailing list
> > dns-operations at lists.dns-oarc.net
> > https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> > dns-jobs mailing list
> > https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
> > --===============6806851822810879355==--
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20141011/2dbf2865/attachment.html>


More information about the dns-operations mailing list