[dns-operations] DNS cookies in a mixed resolver anycast environment

Mark Andrews marka at isc.org
Mon Jun 3 14:59:02 UTC 2019 


> On 3 Jun 2019, at 11:00 pm, Tobias S. Josefowitz <t.josefowitz at gmail.com> wrote:
> 
> On Mon, Jun 3, 2019 at 2:34 PM Ondřej Surý <ondrej at sury.org> wrote:
>> 
>> 
>> Let’s assume that DNS resolver sends EDNS enabled query, now you have three options:
>> 
>> 3. answer contains NOERROR without OPT —> the other side doesn’t understands EDNS, e.g. pre-EDNS server, process the answer as usual
> 
> Yes but - then again, RFC 6891 clearly states "Responders that choose
> not to implement the protocol extensions [...] MUST respond with a
> return code (RCODE) of FORMERR to messages containing an OPT record in
> the additional section [...]". And I still wonder why RFC 6891
> introduces an additional RTT for implementations choosing not to
> implement (in cases where the querying party is not already sending
> non-EDNS queries).
> 
> Or in other words, doing 3. is not technically standards compliant nowadays.
> 
>> So, when you want to implement new DNS server because you think DNS is easy, just don’t… and if you don’t listen, just make sure you are not in the 4th category.
> 
> The damage is long done and is serving an amount of users you might
> find surprising :)

There aren’t that many servers that return FORMERR to EDNS and copy the OPT record.

marka at ednscomp:~/tld-report % grep edns=formerr reports/alexa1m.2019-05-26T00:00:04Z | grep -v edns=formerr,noopt | wc
     184    2576   43977
marka at ednscomp:~/tld-report % grep edns=formerr reports/alexa1m.2019-05-26T00:00:04Z | grep -v edns=formerr,noopt | awk '{print $2}' | sort -u | wc
     116     116    1725
marka at ednscomp:~/tld-report % 

or even return a valid FORMERR

marka at ednscomp:~/tld-report % grep edns=formerr,noopt reports/alexa1m.2019-05-26T00:00:04Z | wc
     193    2702   52500
marka at ednscomp:~/tld-report % grep edns=formerr,noopt reports/alexa1m.2019-05-26T00:00:04Z | awk '{print $2}' | sort -u | wc
      71      71    1065
marka at ednscomp:~/tld-report % 

marka at ednscomp:~/tld-report % grep dns= reports/alexa1m.2019-05-26T00:00:04Z | grep -v dns=timeout | awk '{print $2}' | sort -u | wc
  206650  206650 3283227
marka at ednscomp:~/tld-report % 

The above is over all servers for the Alexa top 1m.

There is not a single server for all the zones in .GOV that returns FORMERR to a plain EDNS queries though
there are still some that ignore the OPT record.  https://ednscomp.isc.org/compliance/gov-full-report.html

EDNS aware servers that return FORMERR to EDNS options has gone from ~7% to ~1% and is still heading down.

______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org

More information about the dns-operations mailing list