[dns-operations] Microsoft can you please look into this.

Mark Andrews marka at isc.org
Fri Jan 27 22:22:28 UTC 2017


I believe this would still be under extended support for some
customers.

chickasaw-government-nsn.gov. @69.170.224.199 (ns6.chickasaw.net.): dns=ok edns=ok edns1=ok edns at 512=ok ednsopt=formerr,echoed edns1opt=formerr,version-not-zero,echoed do=ok ednsflags=ok optlist=formerr,subnet signed=ok ednstcp=ok

Returns FORMERR to EDNS options.
Returns FORMERR to EDNS(1) with EDNS options rather than returning BADVERS.

This combination was never permissible for EDNS.  BADVERS needs to
be returned to the EDNS(1) query so that the client can negotiate
the use of EDNS(0) if the server returns FORMERR on unknown EDNS
options based on RFC 2671.  Both are wrong for RFC 6891.  This sort
of misbehaviour is one of the reasons RFC 6891 did not bother to
bump the EDNS version number as doing so with this server was
pointless.  The other reason was the number of firewalls/servers
that dropped EDNS(1) queries.

Note: BIND 9.11.0 treats these servers as not supporting EDNS as
it sends queries with DNS COOKIES by default.  We are not going to
play "find the packet format that doesn't return FORMERR" beyond
sending a plain DNS query to the server on FORMERR to a EDNS query.

Additionally this server fails to correctly construct answers to
"version.bind txt ch" queries: no QR bit set, class not CH.

% dig version.bind txt ch +norec @69.170.224.199
;; Warning: query response not set
;; Warning: Message parser reports malformed message packet.

; <<>> DiG 9.12.0-pre-alpha+hotspot+add-prefetch+marka <<>> version.bind txt ch +norec @69.170.224.199
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11923
;; flags: aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; QUESTION SECTION:
;version.bind.			CH	TXT

;; ANSWER SECTION:
version.bind.		1476526080 IN	TXT	"Microsoft DNS 6.0.6002 (1772487D)"

;; Query time: 361 msec
;; SERVER: 69.170.224.199#53(69.170.224.199)
;; WHEN: Sat Jan 28 08:16:56 EST 2017
;; MSG SIZE  rcvd: 76

% 

08:16:56.120065 IP 172.30.42.121.59541 > 69.170.224.199.53: 11923 [1au] TXT CHAOS? version.bind. (53)
	0x0000:  4500 0051 10e7 0000 4011 6cac ac1e 2a79
	0x0010:  45aa e0c7 e895 0035 003d d89f 2e93 0020
	0x0020:  0001 0000 0000 0001 0776 6572 7369 6f6e
	0x0030:  0462 696e 6400 0010 0003 0000 2910 0000
	0x0040:  0000 0000 0c00 0a00 0899 fcbb cae7 5159
	0x0050:  90
08:16:56.481135 IP 69.170.224.199.53 > 172.30.42.121.59541: 11923 [b2&3=0x400] [1a] [1au] TXT CHAOS? version.bind. (76)
	0x0000:  4500 0068 5e2e 0000 6e11 f14d 45aa e0c7
	0x0010:  ac1e 2a79 0035 e895 0054 7a70 2e93 0400
	0x0020:  0001 0001 0000 0001 0776 6572 7369 6f6e
	0x0030:  0462 696e 6400 0010 0003 c00c 0010 0001
	0x0040:  5802 0000 0022 214d 6963 726f 736f 6674
	0x0050:  2044 4e53 2036 2e30 2e36 3030 3220 2831
	0x0060:  3737 3234 3837 4429
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE:	+61 2 9871 4742		         INTERNET: marka at isc.org



More information about the dns-operations mailing list