[dns-operations] DNS cookie bugs

Thu Dec 7 22:56:34 UTC 2017

Azure’s servers echo EDNS options so you get back only the CLIENT cookie.  There are others see: 
https://ednscomp.isc.org/compliance/gov-report.html

I really don’t understand how a DNS developer could decide that it was sensible to echo back data that the server does not understand.  Most of the servers that do this appeared on the net *after* RCF 6891 was published.  See: http://ednscomp.isc.org/compliance/ts/gov.optfail.html

Mark

floridahealthfinder.gov. @64.4.48.6 (ns2-06.azure-dns.net.): dns=ok edns=ok edns1=noerror,badversion edns at 512=ok ednsopt=echoed edns1opt=noerror,badversion do=ok ednsflags=ok optlist=ok,subnet signed=ok ednstcp=ok
floridahealthfinder.gov. @2620:1ec:8ec::6 (ns2-06.azure-dns.net.): dns=ok edns=ok edns1=noerror,badversion edns at 512=ok ednsopt=echoed edns1opt=noerror,badversion do=ok ednsflags=ok optlist=ok,subnet signed=ok ednstcp=ok
floridahealthfinder.gov. @13.107.24.6 (ns3-06.azure-dns.org.): dns=ok edns=ok edns1=noerror,badversion edns at 512=ok ednsopt=echoed edns1opt=noerror,badversion do=ok ednsflags=ok optlist=ok,subnet signed=ok ednstcp=ok
floridahealthfinder.gov. @2a01:111:4000::6 (ns3-06.azure-dns.org.): dns=ok edns=ok edns1=noerror,badversion edns at 512=ok ednsopt=echoed edns1opt=noerror,badversion do=ok ednsflags=ok optlist=ok,subnet signed=ok ednstcp=ok
floridahealthfinder.gov. @13.107.160.6 (ns4-06.azure-dns.info.): dns=ok edns=ok edns1=noerror,badversion edns at 512=ok ednsopt=echoed edns1opt=noerror,badversion do=ok ednsflags=ok optlist=ok,subnet signed=ok ednstcp=ok
floridahealthfinder.gov. @2620:1ec:bda::6 (ns4-06.azure-dns.info.): dns=ok edns=ok edns1=noerror,badversion edns at 512=ok ednsopt=echoed edns1opt=noerror,badversion do=ok ednsflags=ok optlist=ok,subnet signed=ok ednstcp=ok
floridahealthfinder.gov. @40.90.4.6 (ns1-06.azure-dns.com.): dns=ok edns=ok edns1=noerror,badversion edns at 512=ok ednsopt=echoed edns1opt=noerror,badversion do=ok ednsflags=ok optlist=ok,subnet signed=ok ednstcp=ok
floridahealthfinder.gov. @2603:1061::6 (ns1-06.azure-dns.com.): dns=ok edns=ok edns1=noerror,badversion edns at 512=ok ednsopt=echoed edns1opt=noerror,badversion do=ok ednsflags=ok optlist=ok,subnet signed=ok ednstcp=ok

[rock:~/git/bind9] marka% dig floridahealthfinder.gov. @64.4.48.6 soa

; <<>> DiG 9.12.0rc1+hotspot+add-prefetch+marka <<>> floridahealthfinder.gov. @64.4.48.6 soa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1494
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
; COOKIE: c6df57fe4b0e188d (echoed)
;; QUESTION SECTION:
;floridahealthfinder.gov.	IN	SOA

;; ANSWER SECTION:
floridahealthfinder.gov. 3600	IN	SOA	ns1-06.azure-dns.com. azuredns-hostmaster.microsoft.com. 1 3600 300 2419200 300

;; ADDITIONAL SECTION:
ns1-06.azure-dns.com.	3600	IN	A	40.90.4.6

;; Query time: 142 msec
;; SERVER: 64.4.48.6#53(64.4.48.6)
;; WHEN: Fri Dec 08 09:43:44 AEDT 2017
;; MSG SIZE  rcvd: 166

> On 8 Dec 2017, at 2:04 am, Tony Finch <dot at dotat.at> wrote:
> 
> Is anyone collecting details of servers that respond with bad DNS cookie
> options?
> 
> Tony.
> -- 
> f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/  -  I xn--zr8h punycode
> Hebrides, Bailey: North or northwest gale 8 to storm 10, occasionally violent
> storm 11 at first in Hebrides. High or very high, occasionally phenomenal at
> first in Hebrides. Snow showers. Poor.
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org