We see Juniper firewalls blocking EDNS(1) and NSID by default. We see Checkpoint firewalls blocking EDNS(1) and EDNS flags by default. There is a another vendor that blocks EDNS(1). Juniper and Checkpoint have newer code that doesn’t do this. The old firewalls are still out there however. You can see them easily when you are doing bulk testing and mark timeouts in a different colour. Please go look at the reports on https://ednscomp.isc.org to see how obvious they are. There were times in the last 4 years where over 50% of the tested servers were dropping EDNS(1) queries. With drop rates like that you limited the ability of the IETF to use EDNS(1) to fix issues with EDNS correctly. The RFC 6891 would have included a version bump except for these stupid firewalls. The clarification of unknown EDNS option behaviour warranted a version bump. Blocking any of the extension mechanisms (version, flag or option) isn’t doing anyone any benefit. If you have a firewall that does it please FIX IT.
On 24 Jan 2019, at 10:13 pm, Mark Andrews <marka@isc.org> wrote:
On 24 Jan 2019, at 9:02 pm, Mike Meredith <mike.meredith@port.ac.uk> wrote:
On Thu, 24 Jan 2019 11:22:44 +1100, Mark Andrews <marka@isc.org> may have written:
If you run a firewall in front of your DNS server you may be broken.
If you run a firewall in front of your DNS server and the firewall breaks EDNS, then your firewall is broken. And has been a long, long time. I put a firewall in place back in 2004, and EDNS compliance was one of the tests back then.
EDNS usage has changed since them. Back in 2004 there was zero use of EDNS options in queries. That is no longer true. NSID (RFC 5001) the first option to make it into main stream code was allocated in 2007 and that saw occasional use. DNS COOKIE has been in every query named has emitted since BIND 9.11.0 and in late BIND 9.10 versions. Lots of firewalls still reject it.
-- Mike Meredith, University of Portsmouth Chief Systems Engineer, Hostmaster, Security, and Timelord!
-- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
-- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org