[dns-operations] Non-EDNS FORMERR with qdcount==0?

Viktor Dukhovni ietf-dane at dukhovni.org
Mon Nov 18 09:06:57 UTC 2019 

EDNS(0) queries to the (protocol-violating w.r.t. to unexpected QTYPES)
nameservers for mail.protection.outlook.com, which don't support EDNS(0),
elicit a response which fails to include a copy of the original question
(see below).  Is this valid?

My response validation logic checks not only the source IP and transction id,
but also looks for a matching question, and discards the response otherwise, so
I don't see the FORMERR, and retry without EDNS(0) when the server leaves out
the question.

MUST servers reflect the question (on error?) or can they leave it out?  Is
FORMERR special in this regard (not being an answer to a question), but an
error processing my query packet?

FWIW, "unbound-host" handles the "empty" FORMERR response, and retries the
query without EDNS.  Is unbound-host doing what's expected, or employing
a work-around for known breakage?

-- 
    Viktor.

Domain Name System (query)
    Transaction ID: 0x2acf
    Flags: 0x0020 Standard query
        0... .... .... .... = Response: Message is a query
        .000 0... .... .... = Opcode: Standard query (0)
        .... ..0. .... .... = Truncated: Message is not truncated
        .... ...0 .... .... = Recursion desired: Don't do query recursively
        .... .... .0.. .... = Z: reserved (0)
        .... .... ..1. .... = AD bit: Set
        .... .... ...0 .... = Non-authenticated data: Unacceptable
    Questions: 1
    Answer RRs: 0
    Authority RRs: 0
    Additional RRs: 1
    Queries
        _25._tcp.nist-gov.mail.protection.outlook.com: type TLSA, class IN
            Name: _25._tcp.nist-gov.mail.protection.outlook.com
            [Name Length: 45]
            [Label Count: 7]
            Type: TLSA (52)
            Class: IN (0x0001)
    Additional records
        <Root>: type OPT
            Name: <Root>
            Type: OPT (41)
            UDP payload size: 1232
            Higher bits in extended RCODE: 0x00
            EDNS0 version: 0
            Z: 0x0000
                0... .... .... .... = DO bit: Cannot handle DNSSEC security RRs
                .000 0000 0000 0000 = Reserved: 0x0000
            Data length: 0

Domain Name System (response)
    Transaction ID: 0x2acf
    Flags: 0x8001 Standard query response, Format error
        1... .... .... .... = Response: Message is a response
        .000 0... .... .... = Opcode: Standard query (0)
        .... .0.. .... .... = Authoritative: Server is not an authority for domain
        .... ..0. .... .... = Truncated: Message is not truncated
        .... ...0 .... .... = Recursion desired: Don't do query recursively
        .... .... 0... .... = Recursion available: Server can't do recursive queries
        .... .... .0.. .... = Z: reserved (0)
        .... .... ..0. .... = Answer authenticated: Answer/authority portion was not authenticated by the server
        .... .... ...0 .... = Non-authenticated data: Unacceptable
        .... .... .... 0001 = Reply code: Format error (1)
    Questions: 0
    Answer RRs: 0
    Authority RRs: 0
    Additional RRs: 0

More information about the dns-operations mailing list