[dns-operations] EDNS vs DDOS scrubbing - was Re: Nice to see Amazon Route 53 remove the EDNS(1) filters for *.co.uk.

Mark Andrews marka at isc.org
Thu May 28 09:02:22 UTC 2015 

In message <562cc134b2724b889f07ded8737c43f1 at HKNPR30MB017.064d.mgd.msft.net>, K
umar Ashutosh writes:
> I might be opening an already discussed question here (from RFC 6891):
> Any OPTION-CODE values not understood by a *responder or requestor
>    MUST be ignored*.  Specifications of such options might wish to
>    include some kind of signaled acknowledgement.  For example, an
>    option specification might say that if a responder sees and supports
>    option XYZ, it MUST include option XYZ in its response.
>
> This statement can be interpreted in multiple ways.
> Does it mean that, ignore the query altogether or
> Ignore the OPT value only and process the query as if it does not exist.

It says to ignore the option not the request.

> The responder may also choose to simply respond back with same OPT record
> as it received if it supports EDNS0/1 and respond with failure if it does
> not.

Not if you are implementing RFC 6891.

> If we are suggesting to drop the query altogether, it will impede the
> introduction of new OPT options (e.g. the client subnet one) as legacy
> machines will start dropping those packets with new OPT RRs.

You can see the expected behaviour with this query / respone.  The
query has a EDNS EXPIRE option set (RFC 7314) which is not supported
by the server.  You still get back the SOA record but you don't get
back the expire option.

; <<>> DiG 9.11.0pre-alpha <<>> +qr +expire soa . @a.root-servers.net +noauth +noadd
;; global options: +cmd
;; Sending:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14277
;; flags: rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; EXPIRE
;; QUESTION SECTION:
;.				IN	SOA

;; QUERY SIZE: 32

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14277
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 25
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;.				IN	SOA

;; ANSWER SECTION:
.			86400	IN	SOA	a.root-servers.net. nstld.verisign-grs.com. 2015052800 1800 900 604800 86400

;; Query time: 262 msec
;; SERVER: 2001:503:ba3e::2:30#53(2001:503:ba3e::2:30)
;; WHEN: Thu May 28 18:58:21 EST 2015
;; MSG SIZE  rcvd: 812

Mark

> Thanks
> Ashu
> Program Manager | Windows Networking| DNS & SDN

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the dns-operations mailing list