[dns-operations] Improvements to EDNS compliance tester?
Jonathan Reed
jreed at akamai.com
Wed Oct 24 20:26:53 UTC 2018
On Wed, 24 Oct 2018, Mark Andrews wrote:
>>
>> Agreed, but my point is that there is "a error", not "an EDNS
>> compliance failure". What I'm suggesting is that although the tests
>> are done in parallel, the information is displayed at once. If all
>> tests have failed with the same error (possibly just restricting to
>> "refused" and "timeout"), the error text should be changed to say
>> something along the lines of "All tests for this authority have failed,
>> this may also indicate an underlying problem that is not related to
>> EDNS compliance". If the results for every test are "timeout", then
>> you cannot conclusively say that the authority is not compliant with
>> EDNS0 -- you cannot conclusively say anything about the authority.
>> Similarly, an authority can return REFUSED but still be completely
>> compliant with EDNS0.
>
> If they are all TIMEOUT then the test has failed.
>
> If they are all REFUSED then the test has failed as EDNS compliance was
> not met. The EDNS(1) queries should be getting BADVERS. The same
> applies to SERVFAIL.
Sorry, I was overenthusiastic in my typing. They are not _all_ 'refused',
the tests that expect BADVERS (edns1, edns1opt) pass. So the server is
compliant with EDNS0, yet the results are highlighted in orange, and the
user gets a verbose error page indicating the server may not be
compliant.
I agree that in real life, it's not useful to have a zone delegated to
authorites that respond 'REFUSED', but it's also not a violation of RFC
6891.
-Jon
More information about the dns-operations
mailing list