[dns-operations] Improvements to EDNS compliance tester?
Reed, Jon
jreed at akamai.com
Wed Oct 24 16:58:09 UTC 2018
Hi all,
What's the preferred way to suggest improvements to the ISC EDNS compliance tester at https://ednscomp.isc.org/ednscomp/? File an issue against https://gitlab.isc.org/isc-projects/DNS-Compliance-Testing? That seemed focused more on the command-line tool, and I'm not sure whether that's appropriate for the website or not.
We're running into issues because whatever host the tester is running on can't contact one of our IPv6 authorities (2600:1403:a::42). This is causing many sites to be flagged as non-compliant due to "timeout". While I'd love to fix the specific issue, I think the tester is a bit misleading in cases like this.
When the initial plain vanilla DNS query (dns=XXXXX) returns something other than NOERROR, is there much point in continuing with the test? I know that timeouts can be a grey area thanks to well-known firewall vendors doing deep packet inspection, but if _all_ tests return the same failure (refused, timeout), that's a pretty good indicator that the problem has absolutely nothing to do with EDNS compliance. Similarly, if the dns=XXXXX test fails, it's likely the case that something else is going on. It would be helpful to have text to this effect on the page, since although the site may have been intended for DNS professionals, suggesting it's being used by people who have virtually no understanding of DNS, and simply want a "pass/fail" result for their site. For that audience, the two false positives I mentioned are unnecessarily alarming.
Thanks,
Jon
--
Jon Reed <jreed at akamai.com>
Senior Performance Engineer
Akamai Technologies
More information about the dns-operations
mailing list