[dns-operations] need someone else to look at these servers

Florian Weimer fw at deneb.enyo.de
Sun Oct 19 13:59:12 UTC 2014 

* Mark Andrews:

> Yet somehow firewall vendors choose to do everything BUT what they
> were instructed to do thereby causing a denial of service.

A lot of what you propose is quite reasonable, but requires extensive
gymnastics to align with the RFCs, which do not actually foster
interoperability in the way they impose certain requirements on
implementation behavior.  There were proposals to add better protocol
negotiation capabilities to DNS, but there wasn't enough interest in
them back when the IETF was still working on the protocol.

> Unknown types should get NOERROR, NXDOMAIN or YXDOMAIN as a response.

Real-world implementations disagree:

; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> +norecurse +nsid @f.root-servers.net www.isc.org TYPE128
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 31534
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; NSID: 66 72 61 31 61 2e 66 2e 72 6f 6f 74 2d 73 65 72 76 65 72 73 2e 6f 72 67  (f) (r) (a) (1) (a) (.) (f) (.) (r) (o) (o) (t) (-) (s) (e) (r) (v) (e) (r) (s) (.) (o) (r) (g)
;; QUESTION SECTION:
;www.isc.org.			IN	TYPE128

;; Query time: 13 msec
;; SERVER: 192.5.5.241#53(192.5.5.241)
;; WHEN: Sun Oct 19 15:47:08 2014
;; MSG SIZE  rcvd: 68

; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> +norecurse +nsid @f.root-servers.net www.isc.org MAILA +dnssec
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOTIMP, id: 35585
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; NSID: 66 72 61 31 61 2e 66 2e 72 6f 6f 74 2d 73 65 72 76 65 72 73 2e 6f 72 67  (f) (r) (a) (1) (a) (.) (f) (.) (r) (o) (o) (t) (-) (s) (e) (r) (v) (e) (r) (s) (.) (o) (r) (g)
;; QUESTION SECTION:
;www.isc.org.			IN	MAILA

;; Query time: 12 msec
;; SERVER: 192.5.5.241#53(192.5.5.241)
;; WHEN: Sun Oct 19 15:48:22 2014
;; MSG SIZE  rcvd: 68

; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> +norecurse +bufsize=1200 +nsid +dnssec @g.root-servers.net www.isc.org MAILA
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> +norecurse +bufsize=1200 +nsid +dnssec @g.root-servers.net www.isc.org TYPE10000
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

> Algorithm determines the response code.  NOTIMP is NOT the correct
> response to a unknown qtype based on RFC 1034.

What can I say—I agree, but that's not how existing DNS
implementations behave.

> Did I say REFLECT a packet?   I said CONSTRUCT a packet.  In
> particular one that is 12 bytes long, consisting of only a DNS
> packet header.

And you really want the client to process this response, even with the
QNAME mismatch?  Not sure if this is a good idea, unless you have very
good recovery code for spoofed FORMERRs.

More information about the dns-operations mailing list