Route 53 have IPv6 now handled out of the .co.uk zones though they still don't do EDNS. Azure also mishandles EDNS. Route 53 returns plain DNS responses when presented with a EDNS(1) query. This breaks validating EDNS(1) clients getting answers from a signed zone. Azure echoes back unknown EDNS options and returns NOERROR NODATA to EDNS(1) queries. This breaks EDNS(1) clients regardless of whether the data is coming from a signed zone or not. It also potentially breaks any client using a EDNS options regardless of the version of EDNS they have in the query. It is server misbehaviour like this that requires clients to whitelist ECS servers. If a DNS COOKIE client is picky it will also break them. EDNS(0) specified how to handle EDNS(1) queries when you only support EDNS(0) back in 1999. It isn't hard to get it right. It also isn't hard to test. Mark harveynorman.com.au. @64.4.48.5 (ns2-05.azure-dns.net.): dns=ok edns=ok edns1=status edns@512=ok ednsopt=echoed edns1opt=status do=ok ednsflags=ok optlist=ok,subnet signed=ok ednstcp=ok harveynorman.com.au. @13.107.24.5 (ns3-05.azure-dns.org.): dns=ok edns=ok edns1=status edns@512=ok ednsopt=echoed edns1opt=status do=ok ednsflags=ok optlist=ok,subnet signed=ok ednstcp=ok harveynorman.com.au. @40.90.4.5 (ns1-05.azure-dns.com.): dns=ok edns=ok edns1=status edns@512=ok ednsopt=echoed edns1opt=status do=ok ednsflags=ok optlist=ok,subnet signed=ok ednstcp=ok harveynorman.com.au. @13.107.160.5 (ns4-05.azure-dns.info.): dns=ok edns=ok edns1=status edns@512=ok ednsopt=ok edns1opt=status do=ok ednsflags=ok optlist=ok,subnet signed=ok ednstcp=ok energeticsinstitute.com.au. @205.251.195.234 (ns-1002.awsdns-61.net.): dns=ok edns=ok edns1=status,noopt,soa edns@512=ok ednsopt=ok edns1opt=status,noopt,soa do=ok ednsflags=ok optlist=ok,nsid,subnet signed=ok ednstcp=ok energeticsinstitute.com.au. @205.251.197.70 (ns-1350.awsdns-40.org.): dns=ok edns=ok edns1=status,noopt,soa edns@512=ok ednsopt=ok edns1opt=status,noopt,soa do=ok ednsflags=ok optlist=ok,nsid,subnet signed=ok ednstcp=ok energeticsinstitute.com.au. @205.251.192.97 (ns-97.awsdns-12.com.): dns=ok edns=ok edns1=status,noopt,soa edns@512=ok ednsopt=ok edns1opt=status,noopt,soa do=ok ednsflags=ok optlist=ok,nsid,subnet signed=ok ednstcp=ok energeticsinstitute.com.au. @205.251.198.160 (ns-1696.awsdns-20.co.uk.): dns=ok edns=ok edns1=status,noopt,soa edns@512=ok ednsopt=ok edns1opt=status,noopt,soa do=ok ednsflags=ok optlist=ok,nsid,subnet signed=ok ednstcp=ok energeticsinstitute.com.au. @2600:9000:5306:a000::1 (ns-1696.awsdns-20.co.uk.): dns=ok edns=ok edns1=status,noopt,soa edns@512=ok ednsopt=ok edns1opt=status,noopt,soa do=ok ednsflags=ok optlist=ok,nsid,subnet signed=ok ednstcp=ok Mark In message <BLUPR05MB595CEB3D1F875F1D20D7889B4A00@BLUPR05MB595.namprd05.prod.ou tlook.com>, Ryan Finnesey writes:
Thanks everyone for their response. We are going to use the Azure Zone Service.
Cheers Ryan
From: Matthieu Michaud mailto:matthieu@nxdomain.fr Sent: Friday, August 12, 2016 1:34 PM To: Ryan Finnesey <ryan@finnesey.com> Cc: nanog@nanog.org Subject: Re: DNS Services for a registrar
Hi,
I have been very happy with route53 while lack of IPv6 support was not an issue for the use case.
Did you evaluate CloudFlare in PaaS solution ? Their free plan includes DNS.
Best regards,
On Fri, Aug 12, 2016 at 7:56 AM, Ryan Finnesey <ryan@finnesey.com<mailto:ryan@finnesey.com>> wrote: We need to provide DNS services for domains we offer as a registrar. We were discussing internally the different options for the deployment. Does anyone see a down side to using IaaS on AWS and Azure?
We were also kicking around the idea of a PaaS offering and using Azure DNS or AWS Route 53.
Cheers Ryan
-- Matthieu MICHAUD
-- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org