[dns-operations] Improvements to EDNS compliance tester?

Mark Andrews marka at isc.org
Wed Oct 24 20:06:27 UTC 2018 


> On 25 Oct 2018, at 6:44 am, Jonathan Reed <jreed at akamai.com> wrote:
> 
> 
> 
> On Wed, 24 Oct 2018, Mark Andrews wrote:
> 
>>>  I know that timeouts can be a grey area thanks to well-known firewall vendors doing deep packet inspection, but if _all_ tests return the same failure (refused, timeout), that's a pretty good indicator that the problem has absolutely nothing to do with EDNS compliance.
>> 
>> But it still means that there is a error that should be addressed.
>> 
> 
> Agreed, but my point is that there is "a error", not "an EDNS compliance failure".  What I'm suggesting is that although the tests are done in parallel, the information is displayed at once.  If all tests have failed with the same error (possibly just restricting to "refused" and "timeout"), the error text should be changed to say something along the lines of "All tests for this authority have failed, this may also indicate an underlying problem that is not related to EDNS compliance".   If the results for every test are "timeout", then you cannot conclusively say that the authority is not compliant with EDNS0 -- you cannot conclusively say anything about the authority.   Similarly, an authority can return REFUSED but still be completely compliant with EDNS0.

If they are all TIMEOUT then the test has failed.

If they are all REFUSED then the test has failed as EDNS compliance was not met.  The EDNS(1) queries should be getting BADVERS.  The same applies to SERVFAIL.

> It doesn't even have to be conditional on the test results -- a single line pointing out that if all tests fail with the same error, it may indicate another problem, would go a long way.

“TIMEOUT” is the only result that can appear for every result and that is pretty clear without extra documentation.  Every other result is should differ if the server is EDNS compliant.  Every other result should differ if the server is STD13 compliant and not EDNS aware.

> As I said, this is being used by people who have no minimal understanding of DNS.  I have seen people test zones and mistakenly specify a server that will (correctly) return REFUSED to all queries.  This is counted as a failure of the test, when really it's not.

> Thanks,
> 
> -Jon
> 
> --
> Jon Reed <jreed at akamai.com>
> Senior Performance Engineer
> Akamai Technologies

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org

More information about the dns-operations mailing list