<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto">Well the correct response when you don’t support EDNS is FORMERR. <div><br></div><div>That said there is no reason for any nameserver to not support EDNS. Its been well over 20 years since EDNS was introduced and it only takes a couple of extra lines of code to have a conforming implementation. You don’t need to understand any options or EDNS flags. Ignoring unknown options is correct behaviour as is setting all the flags to zero in replies (if you don’t understand DNSSEC then DO is mot copied). You don’t have to use a bigger UDP buffer. You do need to check the version field but that is about all. Sending back FORMERR rather than an EDNS response just doubles you traffic levels.</div><div><div dir="ltr">-- <div>Mark Andrews</div></div><div dir="ltr"><br><blockquote type="cite">On 6 Oct 2021, at 23:30, Martin George <Martin.George@nominet.uk> wrote:<br><br></blockquote></div><blockquote type="cite"><div dir="ltr">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Segoe UI Symbol";
panose-1:2 11 5 2 4 2 4 2 2 3;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal">Hiya all,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I’m investigating an issue that is affecting a client of ours, they are seeing a high number of SERVFAILs for queries send to various children zones of .mail.protection.outlook.com. I’ve noticed that when querying for mail.protection.outlook.com,
and any child zones, directly against the authoritative nameservers listed in the nameserver records for that zone, I see a FORMERR response code and a warning that requests the disabling of EDNS when querying.
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">To provide an example, I query the internet for the nameserver records of mail.protection.outlook.com, I’ve used Cloudflare to ensure that our corporate resolvers had no impact on the result.
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="font-family:"Segoe UI Symbol",sans-serif">❯</span> dig mail.protection.outlook.com NS @1.1.1.1<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">; <<>> DiG 9.17.9 <<>> mail.protection.outlook.com NS @1.1.1.1<o:p></o:p></p>
<p class="MsoNormal">;; global options: +cmd<o:p></o:p></p>
<p class="MsoNormal">;; Got answer:<o:p></o:p></p>
<p class="MsoNormal">;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25269<o:p></o:p></p>
<p class="MsoNormal">;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">;; OPT PSEUDOSECTION:<o:p></o:p></p>
<p class="MsoNormal">; EDNS: version: 0, flags:; udp: 1232<o:p></o:p></p>
<p class="MsoNormal">;; QUESTION SECTION:<o:p></o:p></p>
<p class="MsoNormal">;mail.protection.outlook.com. IN NS<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">;; ANSWER SECTION:<o:p></o:p></p>
<p class="MsoNormal">mail.protection.outlook.com. 10 IN NS ns1-proddns.glbdns.o365filtering.com.<o:p></o:p></p>
<p class="MsoNormal">mail.protection.outlook.com. 10 IN NS ns2-proddns.glbdns.o365filtering.com.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">;; Query time: 56 msec<o:p></o:p></p>
<p class="MsoNormal">;; SERVER: 1.1.1.1#53(1.1.1.1) (UDP)<o:p></o:p></p>
<p class="MsoNormal">;; WHEN: Wed Oct 06 11:39:15 BST 2021<o:p></o:p></p>
<p class="MsoNormal">;; MSG SIZE rcvd: 129<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Then querying mail.protection.outlook.com against ns1-proddns.glbdns.o365filtering.com, I expect to see an SOA, but instead I see a FORMERR<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="font-family:"Segoe UI Symbol",sans-serif">❯</span> dig mail.protection.outlook.com soa @ns1-proddns.glbdns.o365filtering.com.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">; <<>> DiG 9.17.9 <<>> mail.protection.outlook.com soa @ns1-proddns.glbdns.o365filtering.com.<o:p></o:p></p>
<p class="MsoNormal">;; global options: +cmd<o:p></o:p></p>
<p class="MsoNormal">;; Got answer:<o:p></o:p></p>
<p class="MsoNormal">;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 10885<o:p></o:p></p>
<p class="MsoNormal">;; flags: qr rd; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0<o:p></o:p></p>
<p class="MsoNormal">;; WARNING: recursion requested but not available<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">;; WARNING: EDNS query returned status FORMERR - retry with '+noedns'<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">;; Query time: 26 msec<o:p></o:p></p>
<p class="MsoNormal">;; SERVER: 104.47.72.81#53(104.47.72.81) (UDP)<o:p></o:p></p>
<p class="MsoNormal">;; WHEN: Wed Oct 06 11:41:06 BST 2021<o:p></o:p></p>
<p class="MsoNormal">;; MSG SIZE rcvd: 12<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I was wondering if anyone else has noticed this behaviour previously, and could provide any reasoning behind it? Is anyone else seeing failures with queries for mail.protection.outlook.com and any child zones of the aforementioned?<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Many thanks! <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-GB">--<br>
Martin George<br>
DNS Engineer<br>
Nominet UK<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<span>_______________________________________________</span><br><span>dns-operations mailing list</span><br><span>dns-operations@lists.dns-oarc.net</span><br><span>https://lists.dns-oarc.net/mailman/listinfo/dns-operations</span><br></div></blockquote></div></body></html>