[dns-operations] Non-EDNS FORMERR with qdcount==0?

Mark Andrews marka at isc.org
Mon Nov 18 10:35:34 UTC 2019 

FORMERR without a question section is valid.  What happens when you can’t
decode the question section?  If the question section is there and it is
a QUERY they the question should match.

> On 18 Nov 2019, at 20:06, Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
> 
> EDNS(0) queries to the (protocol-violating w.r.t. to unexpected QTYPES)
> nameservers for mail.protection.outlook.com, which don't support EDNS(0),
> elicit a response which fails to include a copy of the original question
> (see below).  Is this valid?
> 
> My response validation logic checks not only the source IP and transction id,
> but also looks for a matching question, and discards the response otherwise, so
> I don't see the FORMERR, and retry without EDNS(0) when the server leaves out
> the question.
> 
> MUST servers reflect the question (on error?) or can they leave it out?  Is
> FORMERR special in this regard (not being an answer to a question), but an
> error processing my query packet?
> 
> FWIW, "unbound-host" handles the "empty" FORMERR response, and retries the
> query without EDNS.  Is unbound-host doing what's expected, or employing
> a work-around for known breakage?
> 
> -- 
>    Viktor.
> 
> Domain Name System (query)
>    Transaction ID: 0x2acf
>    Flags: 0x0020 Standard query
>        0... .... .... .... = Response: Message is a query
>        .000 0... .... .... = Opcode: Standard query (0)
>        .... ..0. .... .... = Truncated: Message is not truncated
>        .... ...0 .... .... = Recursion desired: Don't do query recursively
>        .... .... .0.. .... = Z: reserved (0)
>        .... .... ..1. .... = AD bit: Set
>        .... .... ...0 .... = Non-authenticated data: Unacceptable
>    Questions: 1
>    Answer RRs: 0
>    Authority RRs: 0
>    Additional RRs: 1
>    Queries
>        _25._tcp.nist-gov.mail.protection.outlook.com: type TLSA, class IN
>            Name: _25._tcp.nist-gov.mail.protection.outlook.com
>            [Name Length: 45]
>            [Label Count: 7]
>            Type: TLSA (52)
>            Class: IN (0x0001)
>    Additional records
>        <Root>: type OPT
>            Name: <Root>
>            Type: OPT (41)
>            UDP payload size: 1232
>            Higher bits in extended RCODE: 0x00
>            EDNS0 version: 0
>            Z: 0x0000
>                0... .... .... .... = DO bit: Cannot handle DNSSEC security RRs
>                .000 0000 0000 0000 = Reserved: 0x0000
>            Data length: 0
> 
> Domain Name System (response)
>    Transaction ID: 0x2acf
>    Flags: 0x8001 Standard query response, Format error
>        1... .... .... .... = Response: Message is a response
>        .000 0... .... .... = Opcode: Standard query (0)
>        .... .0.. .... .... = Authoritative: Server is not an authority for domain
>        .... ..0. .... .... = Truncated: Message is not truncated
>        .... ...0 .... .... = Recursion desired: Don't do query recursively
>        .... .... 0... .... = Recursion available: Server can't do recursive queries
>        .... .... .0.. .... = Z: reserved (0)
>        .... .... ..0. .... = Answer authenticated: Answer/authority portion was not authenticated by the server
>        .... .... ...0 .... = Non-authenticated data: Unacceptable
>        .... .... .... 0001 = Reply code: Format error (1)
>    Questions: 0
>    Answer RRs: 0
>    Authority RRs: 0
>    Additional RRs: 0
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org

More information about the dns-operations mailing list