[dns-operations] Improvements to EDNS compliance tester?

Mark Andrews marka at isc.org
Wed Oct 24 19:27:21 UTC 2018 


> On 25 Oct 2018, at 3:58 am, Reed, Jon <jreed at akamai.com> wrote:
> 
> Hi all,
> 
> What's the preferred way to suggest improvements to the ISC EDNS compliance tester at https://ednscomp.isc.org/ednscomp/?   File an issue against https://gitlab.isc.org/isc-projects/DNS-Compliance-Testing?   That seemed focused more on the command-line tool, and I'm not sure whether that's appropriate for the website or not.
> 
> We're running into issues because whatever host the tester is running on can't contact one of our IPv6 authorities (2600:1403:a::42).   This is causing many sites to be flagged as non-compliant due to "timeout".   While I'd love to fix the specific issue, I think the tester is a bit misleading in cases like this.

Which will be a routing issue almost certainly.  Bcc’d our operations people.

> When the initial plain vanilla DNS query (dns=XXXXX) returns something other than NOERROR, is there much point in continuing with the test?

Well the tests are done in parallel so by the time we know it is going to error the rest of the queries are already sent.

>   I know that timeouts can be a grey area thanks to well-known firewall vendors doing deep packet inspection, but if _all_ tests return the same failure (refused, timeout), that's a pretty good indicator that the problem has absolutely nothing to do with EDNS compliance.

But it still means that there is a error that should be addressed.

>   Similarly, if the dns=XXXXX test fails, it's likely the case that something else is going on.    It would be helpful to have text to this effect on the page, since although the site may have been intended for DNS professionals, suggesting it's being used by people who have virtually no understanding of DNS, and simply want a "pass/fail" result for their site.    For that audience, the two false positives I mentioned are unnecessarily alarming.
> 
> Thanks, 
> 
> Jon 
> 
> -- 
> Jon Reed <jreed at akamai.com>
> Senior Performance Engineer
> Akamai Technologies
> 
> 
> 
> 
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org

More information about the dns-operations mailing list