[dns-operations] Improvements to EDNS compliance tester?
Jonathan Reed
jreed at akamai.com
Wed Oct 24 19:44:35 UTC 2018
On Wed, 24 Oct 2018, Mark Andrews wrote:
>> I know that timeouts can be a grey area thanks to well-known firewall vendors doing deep packet inspection, but if _all_ tests return the same failure (refused, timeout), that's a pretty good indicator that the problem has absolutely nothing to do with EDNS compliance.
>
> But it still means that there is a error that should be addressed.
>
Agreed, but my point is that there is "a error", not "an EDNS compliance
failure". What I'm suggesting is that although the tests are done in
parallel, the information is displayed at once. If all tests have failed
with the same error (possibly just restricting to "refused" and
"timeout"), the error text should be changed to say something along the
lines of "All tests for this authority have failed, this may also indicate
an underlying problem that is not related to EDNS compliance". If the
results for every test are "timeout", then you cannot conclusively say
that the authority is not compliant with EDNS0 -- you cannot conclusively
say anything about the authority. Similarly, an authority can return
REFUSED but still be completely compliant with EDNS0.
It doesn't even have to be conditional on the test results -- a single
line pointing out that if all tests fail with the same error, it may
indicate another problem, would go a long way.
As I said, this is being used by people who have no minimal understanding
of DNS. I have seen people test zones and mistakenly specify a server
that will (correctly) return REFUSED to all queries. This is counted as a
failure of the test, when really it's not.
Thanks,
-Jon
--
Jon Reed <jreed at akamai.com>
Senior Performance Engineer
Akamai Technologies
More information about the dns-operations
mailing list