[dns-operations] 2600::a1 (ns1-auth.sprintlink.net)

Mark Andrews marka at isc.org
Thu Feb 16 21:02:53 UTC 2017


In message <CAGfsgR3bH1qEZ4g2-SLcBo5xHDpdw+1W5u-Jqxop=LBqAa-CYA at mail.gmail.com>
, Jim Popovitch writes:
> On Thu, Feb 16, 2017 at 3:00 PM, Gonzalo Muoz <gmunoz at nic.cl> wrote:
> > It looks like the sprintlink NS has a problem with DNS cookies. Using
> > dig 9.11.0-P1:
> >
> > $ dig @ns1-auth.sprintlink.net. ups.com mx
> > (...)
> > ;; ->>HEADER<<- opcode: QUERY, status: BADVERS, id: 14540
> > (...)

ns1-auth.sprintlink.net is not RFC compliant.  STD 13 says FORMERR
is for "I do not understand".  BADVERS is for version negotiation
which involves checking the version field and saying whether you
support the requested version of the protocol or not.

I think the developers of the server being used here saw a EDNS
options a indication that the request should have been a EDNS version
!= 0 query so they sent back BADVERS which is a use of the rcode
outside of that specified in RFC 2671.

RFC 6891 tighted the expected behaviour with respect to unknown
EDNS options and this behaviour is clearly out of spec for RFC 6891
as unknown options are to be ignored.  Now it would have been nice
to have bumped the EDNS version for RFC 6891, yes it was considered,
but DNS vendors returning FORMERR to EDNS(1) w/ EDNS options and
firewall vendors having default setups dropping EDNS(1) queries
made that impracticable.

Mark

> > $ dig @ns1-auth.sprintlink.net. ups.com mx +nocookie
> > (...)
> > ;; ANSWER SECTION:
> > ups.com.                300     IN      MX      10 email-vip.ups.com.
> > ups.com.                300     IN      MX      10 email2-vip.ups.com.
> > (...)
> >
>
> Ahh! That's it.
>
> Interestingly enough bind does seem to always figure out the data it
> needs by continuing to query other NSes.
>
> Thanks!!
>
> -Jim P.
>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org



More information about the dns-operations mailing list