[dns-operations] DNS cookies in a mixed resolver anycast environment

Mark Andrews marka at isc.org
Fri May 31 23:30:36 UTC 2019 

Or you treat all FORMERR as not supporting EDNS.

Setting qr=1 and the rcode to FORMERR and sending that back as a reply
is not valid DNS.  We have to mostly weed out those servers to before we
can do FORMERR for EDNS options.

Mark

> On 1 Jun 2019, at 3:05 am, Ondřej Surý <ondrej at sury.org> wrote:
> 
>  The whole point of DNS Flag Day is that we don’t have any obligation to resolve domains running on broken DNS server. It have become “fix you sh^Htuff” instead of “fix our stuff” how it have been before.
> 
> Also it’s perfectly OK (on technical level) to not support EDNS, but in this particular case (p4.no) it’s the fact that the server returns FORMERR + OPT RR that’s causing the resolution failure as 6891 says:
> 
> > Responders that choose not to implement the protocol extensions
> defined in this document MUST respond with a return code (RCODE) of FORMERR to messages containing an OPT record in the additional section and MUST NOT include an OPT record in the response.
> 
> Cheers,
> Ondrej
> --
> Ondřej Surý <ondrej at sury.org>
> 
> On 31 May 2019, at 18:01, sthaug at nethelp.no wrote:
> 
>>> During the period, the oldest encounter and one of the most critical was a 17 year old Authoritative Servers running Windows DNS. They have now fixed this, it took around 6 months for them. I believe they were not alone. 
>>> 
>>> Just because 99.9% looks OK in statistics, does not mean that it really work in real life scenarios. Businesses and Government organs still think that "DNS is old and easy service, we do not need to update". 
>>> 
>>> Even if and when we reach out, there are instances that does not listen and still think it is our fault. 
>> 
>> And there are authors of DNS software out there who have no plans to
>> implement EDNS (not even minimalist correct answers) - read the mail
>> thread at
>> 
>>       https://mailman.powerdns.com/mailman/listinfo/pdns-users
>> 
>> and weep. No, it's not really about PowerDNS.
>> 
>> Steinar Haug, AS2116
>> _______________________________________________
>> dns-operations mailing list
>> dns-operations at lists.dns-oarc.net
>> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>> dns-operations mailing list
>> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org

More information about the dns-operations mailing list