In message <20160823233710.8DC3A5206AD7@rock.dv.isc.org>, Mark Andrews writes:
I'm curious. What are you trying to achieve by blocking EDNS version negotiation? Is it really too hard to return BADVERS to a EDNS query with version != 0 along with the version of EDNS you support in the version field? Are you deliberately trying to prevent the IETF from deciding to bump the EDNS version in the future? Do you have firewalls that have this behaviour hard coded? Do you even test for RFC compliance?
Mark
lostoncampus.com.au. @205.251.195.156 (ns-924.awsdns-51.net.): dns=ok edns=ok edns1=timeout edns@512=ok ednsopt=ok edns1opt=timeout do=ok ednsflags=ok opt list=ok,nsid,subnet signed=ok ednstcp=ok lostoncampus.com.au. @205.251.192.78 (ns-78.awsdns-09.com.): dns=ok edns=ok e dns1=timeout edns@512=ok ednsopt=ok edns1opt=timeout do=ok ednsflags=ok optli st=ok,nsid,subnet signed=ok ednstcp=ok lostoncampus.com.au. @205.251.196.198 (ns-1222.awsdns-24.org.): dns=ok edns=o k edns1=timeout edns@512=ok ednsopt=ok edns1opt=timeout do=ok ednsflags=ok op tlist=ok,nsid,subnet signed=ok ednstcp=ok lostoncampus.com.au. @205.251.199.20 (ns-1812.awsdns-34.co.uk.): dns=ok edns= ok edns1=timeout edns@512=ok ednsopt=ok edns1opt=timeout do=ok ednsflags=ok o ptlist=ok,nsid,subnet signed=ok ednstcp=ok
-- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
Amazon are updating their servers/firewalls so they no longer timeout. They still need to return a EDNS response but it is a step in the right direction. Thanks for improving the situation. It makes for some dramatic changes in the EDNS(1) and EDNS(1) + Unknown EDNS option failure mode and response graphs at https://ednscomp.isc.org/compliance/summary.html Mark % dig soa lostoncampus.com.au @205.251.195.156 +edns=1 +noednsneg +norec ; <<>> DiG 9.11.0rc1 <<>> soa lostoncampus.com.au @205.251.195.156 +edns=1 +noednsneg +norec ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52640 ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 0 ;; QUESTION SECTION: ;lostoncampus.com.au. IN SOA ;; ANSWER SECTION: lostoncampus.com.au. 900 IN SOA ns-1222.awsdns-24.org. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400 ;; AUTHORITY SECTION: lostoncampus.com.au. 172800 IN NS ns-1222.awsdns-24.org. lostoncampus.com.au. 172800 IN NS ns-1812.awsdns-34.co.uk. lostoncampus.com.au. 172800 IN NS ns-78.awsdns-09.com. lostoncampus.com.au. 172800 IN NS ns-924.awsdns-51.net. ;; Query time: 132 msec ;; SERVER: 205.251.195.156#53(205.251.195.156) ;; WHEN: Thu Sep 15 10:09:42 EST 2016 ;; MSG SIZE rcvd: 237 % Checking: 'lostoncampus.com.au' as at 2016-09-15T00:07:37Z lostoncampus.com.au @205.251.196.198 (ns-1222.awsdns-24.org.): dns=ok edns=ok edns1=status,noopt,soa edns@512=ok ednsopt=ok edns1opt=status,noopt,soa do=ok ednsflags=ok edns@512tcp=ok optlist=nsid,subnet lostoncampus.com.au @205.251.199.20 (ns-1812.awsdns-34.co.uk.): dns=ok edns=ok edns1=status,noopt,soa edns@512=ok ednsopt=ok edns1opt=status,noopt,soa do=ok ednsflags=ok edns@512tcp=ok optlist=nsid,subnet lostoncampus.com.au @205.251.192.78 (ns-78.awsdns-09.com.): dns=ok edns=ok edns1=timeout edns@512=ok ednsopt=ok edns1opt=timeout do=ok ednsflags=ok edns@512tcp=ok optlist=nsid,subnet lostoncampus.com.au @205.251.195.156 (ns-924.awsdns-51.net.): dns=ok edns=ok edns1=status,noopt,soa edns@512=ok ednsopt=ok edns1opt=status,noopt,soa do=ok ednsflags=ok edns@512tcp=ok optlist=nsid,subnet The Following Tests Failed EDNS - Unknown Version Handling (edns1) dig +nocookie +norec +noad +edns=1 +noednsneg soa zone @server expect: BADVERS expect: OPT record with version set to 0 expect: not to see SOA See RFC6891, 6.1.3. OPT Record TTL Field Use EDNS - Unknown Version with Unknown Option Handling (edns1opt) dig +nocookie +norec +noad +edns=1 +noednsneg +ednsopt=100 soa zone @server expect: BADVERS expect: OPT record with version set to 0 expect: not to see SOA expect: that the option will not be present in response See RFC6891 Codes ok - test passed. nsid - NSID supported. subnet - EDNS Client Subnet supported. soa - SOA record found when not expected. noopt - OPT record not found when expected. status - expected rcode status code not found. timeout - lookup timed out. To retrieve this report in the future: https://ednscomp.isc.org/ednscomp/0e5c781801 -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org