[dns-operations] Improvements to EDNS compliance tester?

Petr Špaček petr.spacek at nic.cz
Thu Oct 25 08:22:43 UTC 2018


On 24. 10. 18 21:44, Jonathan Reed wrote:
> On Wed, 24 Oct 2018, Mark Andrews wrote:
>>>   I know that timeouts can be a grey area thanks to well-known
>>> firewall vendors doing deep packet inspection, but if _all_ tests
>>> return the same failure (refused, timeout), that's a pretty good
>>> indicator that the problem has absolutely nothing to do with EDNS
>>> compliance.
>>
>> But it still means that there is a error that should be addressed.
>>
> 
> Agreed, but my point is that there is "a error", not "an EDNS compliance
> failure".  What I'm suggesting is that although the tests are done in
> parallel, the information is displayed at once.  If all tests have
> failed with the same error (possibly just restricting to "refused" and
> "timeout"), the error text should be changed to say something along the
> lines of "All tests for this authority have failed, this may also
> indicate an underlying problem that is not related to EDNS
> compliance".   If the results for every test are "timeout", then you
> cannot conclusively say that the authority is not compliant with EDNS0
> -- you cannot conclusively say anything about the authority.  
> Similarly, an authority can return REFUSED but still be completely
> compliant with EDNS0.
> 
> It doesn't even have to be conditional on the test results -- a single
> line pointing out that if all tests fail with the same error, it may
> indicate another problem, would go a long way.
> 
> As I said, this is being used by people who have no minimal
> understanding of DNS.  I have seen people test zones and mistakenly
> specify a server that will (correctly) return REFUSED to all queries. 
> This is counted as a failure of the test, when really it's not.

Are we talking about
web form on https://ednscomp.isc.org/ednscomp
OR
web form on https://dnsflagday.net/
?

1. ednscomp is quite clearly focused on DNS experts who know what they
are doing. Would it help if the form had text like this?
"If you are not an DNS expert please use simplified test tool on
dnsflagday.net."


2. dnsflagday.net web test is focused on "non-DNS people" and provides
summary of the ednscomp test (it uses the same logic under the hood).

I can imagine a new dnsflayday.net test result like "this domain is kind
of broken even BEFORE the flay day" but I'm not sure it is really worth
the effort.

After all the purpose of dnsflagday.net is to give people either "green
All Ok" if everything is *really* ok, and to recommend owners to contact
their DNS administrators who presumably know how to interpret ednscomp
results ...

To conclude, suggestions for wording changes on dnsflagday are welcome!


Petr Špaček  @  CZ.NIC


> 
> Thanks,
> 
> -Jon
> 
> -- 
> Jon Reed <jreed at akamai.com>
> Senior Performance Engineer
> Akamai Technologies



More information about the dns-operations mailing list