Can someone from Amazon please answer.
I'm curious. What are you trying to achieve by blocking EDNS version negotiation? Is it really too hard to return BADVERS to a EDNS query with version != 0 along with the version of EDNS you support in the version field? Are you deliberately trying to prevent the IETF from deciding to bump the EDNS version in the future? Do you have firewalls that have this behaviour hard coded? Do you even test for RFC compliance? Mark lostoncampus.com.au. @205.251.195.156 (ns-924.awsdns-51.net.): dns=ok edns=ok edns1=timeout edns@512=ok ednsopt=ok edns1opt=timeout do=ok ednsflags=ok optlist=ok,nsid,subnet signed=ok ednstcp=ok lostoncampus.com.au. @205.251.192.78 (ns-78.awsdns-09.com.): dns=ok edns=ok edns1=timeout edns@512=ok ednsopt=ok edns1opt=timeout do=ok ednsflags=ok optlist=ok,nsid,subnet signed=ok ednstcp=ok lostoncampus.com.au. @205.251.196.198 (ns-1222.awsdns-24.org.): dns=ok edns=ok edns1=timeout edns@512=ok ednsopt=ok edns1opt=timeout do=ok ednsflags=ok optlist=ok,nsid,subnet signed=ok ednstcp=ok lostoncampus.com.au. @205.251.199.20 (ns-1812.awsdns-34.co.uk.): dns=ok edns=ok edns1=timeout edns@512=ok ednsopt=ok edns1opt=timeout do=ok ednsflags=ok optlist=ok,nsid,subnet signed=ok ednstcp=ok -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
I would love to hear Amazon's response to this very question! On 8/23/16 4:37 PM, Mark Andrews wrote:
I'm curious. What are you trying to achieve by blocking EDNS version negotiation? Is it really too hard to return BADVERS to a EDNS query with version != 0 along with the version of EDNS you support in the version field? Are you deliberately trying to prevent the IETF from deciding to bump the EDNS version in the future? Do you have firewalls that have this behaviour hard coded? Do you even test for RFC compliance?
Mark
lostoncampus.com.au. @205.251.195.156 (ns-924.awsdns-51.net.): dns=ok edns=ok edns1=timeout edns@512=ok ednsopt=ok edns1opt=timeout do=ok ednsflags=ok optlist=ok,nsid,subnet signed=ok ednstcp=ok lostoncampus.com.au. @205.251.192.78 (ns-78.awsdns-09.com.): dns=ok edns=ok edns1=timeout edns@512=ok ednsopt=ok edns1opt=timeout do=ok ednsflags=ok optlist=ok,nsid,subnet signed=ok ednstcp=ok lostoncampus.com.au. @205.251.196.198 (ns-1222.awsdns-24.org.): dns=ok edns=ok edns1=timeout edns@512=ok ednsopt=ok edns1opt=timeout do=ok ednsflags=ok optlist=ok,nsid,subnet signed=ok ednstcp=ok lostoncampus.com.au. @205.251.199.20 (ns-1812.awsdns-34.co.uk.): dns=ok edns=ok edns1=timeout edns@512=ok ednsopt=ok edns1opt=timeout do=ok ednsflags=ok optlist=ok,nsid,subnet signed=ok ednstcp=ok
Just looking at the RFC... ----- VERSION Indicates the implementation level of the setter. Full conformance with this specification is indicated by version '0'. Requestors are encouraged to set this to the lowest implemented level capable of expressing a transaction, to minimise the responder and network load of discovering the greatest common implementation level between requestor and responder. A requestor's version numbering strategy MAY ideally be a run-time configuration option. If a responder does not implement the VERSION level of the request, then it MUST respond with RCODE=BADVERS. All responses MUST be limited in format to the VERSION level of the request, but the VERSION of each response SHOULD be the highest implementation level of the responder. In this way, a requestor will learn the implementation level of a responder as a side effect of every response, including error responses and including RCODE=BADVERS. ----- What am I missing, based on your output? On Aug 23, 2016 6:43 PM, "Mark Andrews" <marka@isc.org> wrote:
I'm curious. What are you trying to achieve by blocking EDNS version negotiation? Is it really too hard to return BADVERS to a EDNS query with version != 0 along with the version of EDNS you support in the version field? Are you deliberately trying to prevent the IETF from deciding to bump the EDNS version in the future? Do you have firewalls that have this behaviour hard coded? Do you even test for RFC compliance?
Mark
lostoncampus.com.au. @205.251.195.156 (ns-924.awsdns-51.net.): dns=ok edns=ok edns1=timeout edns@512=ok ednsopt=ok edns1opt=timeout do=ok ednsflags=ok optlist=ok,nsid,subnet signed=ok ednstcp=ok lostoncampus.com.au. @205.251.192.78 (ns-78.awsdns-09.com.): dns=ok edns=ok edns1=timeout edns@512=ok ednsopt=ok edns1opt=timeout do=ok ednsflags=ok optlist=ok,nsid,subnet signed=ok ednstcp=ok lostoncampus.com.au. @205.251.196.198 (ns-1222.awsdns-24.org.): dns=ok edns=ok edns1=timeout edns@512=ok ednsopt=ok edns1opt=timeout do=ok ednsflags=ok optlist=ok,nsid,subnet signed=ok ednstcp=ok lostoncampus.com.au. @205.251.199.20 (ns-1812.awsdns-34.co.uk.): dns=ok edns=ok edns1=timeout edns@512=ok ednsopt=ok edns1opt=timeout do=ok ednsflags=ok optlist=ok,nsid,subnet signed=ok ednstcp=ok
-- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
In message <CAC6=tfYnPX2pGCNNjaeV+yVENypMFqf02JmD58fgJExQfZku_Q@mail.gmail.com>, Josh Reynolds writes:
Just looking at the RFC... ----- VERSION Indicates the implementation level of the setter. Full conformance with this specification is indicated by version '0'. Requestors are encouraged to set this to the lowest implemented level capable of expressing a transaction, to minimise the responder and network load of discovering the greatest common implementation level between requestor and responder. A requestor's version numbering strategy MAY ideally be a run-time configuration option. If a responder does not implement the VERSION level of the request, then it MUST respond with RCODE=BADVERS. All responses MUST be limited in format to the VERSION level of the request, but the VERSION of each response SHOULD be the highest implementation level of the responder. In this way, a requestor will learn the implementation level of a responder as a side effect of every response, including error responses and including RCODE=BADVERS. ----- What am I missing, based on your output?
The servers do not RESPOND to EDNS version != 0 queries. The following sends a EDNS version 1 query and tells dig not to complete the EDNS version negotiation so you can see the BADVERS response. % dig lostoncampus.com.au. @205.251.195.156 +edns=1 +noednsneg soa ; <<>> DiG 9.11.0rc1 <<>> lostoncampus.com.au. @205.251.195.156 +edns=1 +noednsneg soa ;; global options: +cmd ;; connection timed out; no servers could be reached % A EDNS version 0 query to show reachability and that EDNS is supported. % dig lostoncampus.com.au. @205.251.195.156 +edns=0 +noednsneg soa ; <<>> DiG 9.11.0rc1 <<>> lostoncampus.com.au. @205.251.195.156 +edns=0 +noednsneg soa ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63224 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;lostoncampus.com.au. IN SOA ;; ANSWER SECTION: lostoncampus.com.au. 900 IN SOA ns-1222.awsdns-24.org. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400 ;; AUTHORITY SECTION: lostoncampus.com.au. 172800 IN NS ns-1222.awsdns-24.org. lostoncampus.com.au. 172800 IN NS ns-1812.awsdns-34.co.uk. lostoncampus.com.au. 172800 IN NS ns-78.awsdns-09.com. lostoncampus.com.au. 172800 IN NS ns-924.awsdns-51.net. ;; Query time: 126 msec ;; SERVER: 205.251.195.156#53(205.251.195.156) ;; WHEN: Sat Aug 27 09:40:29 EST 2016 ;; MSG SIZE rcvd: 248 % What you should see is something like the following. Note the version field is zero (0) and the rcode (status) field is BADVERS. This response does show a protocol error: AD should not be set in this response as there is no authenticated data. % dig . @a.root-servers.net +edns=1 +noednsneg soa ; <<>> DiG 9.11.0rc1 <<>> . @a.root-servers.net +edns=1 +noednsneg soa ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: BADVERS, id: 22570 ;; flags: qr rd ad; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; Query time: 438 msec ;; SERVER: 2001:503:ba3e::2:30#53(2001:503:ba3e::2:30) ;; WHEN: Sat Aug 27 09:34:32 EST 2016 ;; MSG SIZE rcvd: 23 % Amazon are not alone here (about 20% of servers fail to respond to EDNS version 1 queries) but they are big player so they should be doing things correctly. See https://ednscomp.isc.org/compliance/alexa-report.html for others serving the Alexa top 1000 that get things wrong there are a lot of you out there. There are also reports for the bottom 1000, .GOV, .AU and the root zone at https://ednscomp.isc.org along with a online compliance checker so others can test their servers. You just need to name a zone and it will work out the rest or you can target individual servers even those not listed in the NS RRset. There is also a whole series of graphs showing failure trends for different EDNS compliance tests at https://ednscomp.isc.org/compliance/summary.html Mark
On Aug 23, 2016 6:43 PM, "Mark Andrews" <marka@isc.org> wrote:
I'm curious. What are you trying to achieve by blocking EDNS version negotiation? Is it really too hard to return BADVERS to a EDNS query with version != 0 along with the version of EDNS you support in the version field? Are you deliberately trying to prevent the IETF from deciding to bump the EDNS version in the future? Do you have firewalls that have this behaviour hard coded? Do you even test for RFC compliance?
Mark
lostoncampus.com.au. @205.251.195.156 (ns-924.awsdns-51.net.): dns=ok edns=ok edns1=timeout edns@512=ok ednsopt=ok edns1opt=timeout do=ok ednsflags=ok optlist=ok,nsid,subnet signed=ok ednstcp=ok lostoncampus.com.au. @205.251.192.78 (ns-78.awsdns-09.com.): dns=ok edns=ok edns1=timeout edns@512=ok ednsopt=ok edns1opt=timeout do=ok ednsflags=ok optlist=ok,nsid,subnet signed=ok ednstcp=ok lostoncampus.com.au. @205.251.196.198 (ns-1222.awsdns-24.org.): dns=ok edns=ok edns1=timeout edns@512=ok ednsopt=ok edns1opt=timeout do=ok ednsflags=ok optlist=ok,nsid,subnet signed=ok ednstcp=ok lostoncampus.com.au. @205.251.199.20 (ns-1812.awsdns-34.co.uk.): dns=ok edns=ok edns1=timeout edns@512=ok ednsopt=ok edns1opt=timeout do=ok ednsflags=ok optlist=ok,nsid,subnet signed=ok ednstcp=ok
-- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
-- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
Excellent info, thank you Mark. On Aug 26, 2016 6:53 PM, "Mark Andrews" <marka@isc.org> wrote:
In message <CAC6=tfYnPX2pGCNNjaeV+yVENypMFqf02JmD58fgJExQfZku_Q@ mail.gmail.com>, Josh Reynolds writes:
Just looking at the RFC... ----- VERSION Indicates the implementation level of the setter. Full
conformance
with this specification is indicated by version '0'. Requestors are encouraged to set this to the lowest implemented level capable of expressing a transaction, to minimise the responder and network load of discovering the greatest common implementation level between requestor and responder. A requestor's version numbering strategy MAY ideally be a run-time configuration option. If a responder does not implement the VERSION level of the request, then it MUST respond with RCODE=BADVERS. All responses MUST be limited in format to the VERSION level of the request, but the VERSION of each response SHOULD be the highest implementation level of the responder. In this way, a requestor will learn the implementation level of a responder as a side effect of every response, including error responses and including RCODE=BADVERS. ----- What am I missing, based on your output?
The servers do not RESPOND to EDNS version != 0 queries. The following sends a EDNS version 1 query and tells dig not to complete the EDNS version negotiation so you can see the BADVERS response.
% dig lostoncampus.com.au. @205.251.195.156 +edns=1 +noednsneg soa
; <<>> DiG 9.11.0rc1 <<>> lostoncampus.com.au. @205.251.195.156 +edns=1 +noednsneg soa ;; global options: +cmd ;; connection timed out; no servers could be reached %
A EDNS version 0 query to show reachability and that EDNS is supported.
% dig lostoncampus.com.au. @205.251.195.156 +edns=0 +noednsneg soa
; <<>> DiG 9.11.0rc1 <<>> lostoncampus.com.au. @205.251.195.156 +edns=0 +noednsneg soa ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63224 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 1 ;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;lostoncampus.com.au. IN SOA
;; ANSWER SECTION: lostoncampus.com.au. 900 IN SOA ns-1222.awsdns-24.org. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400
;; AUTHORITY SECTION: lostoncampus.com.au. 172800 IN NS ns-1222.awsdns-24.org. lostoncampus.com.au. 172800 IN NS ns-1812.awsdns-34.co.uk. lostoncampus.com.au. 172800 IN NS ns-78.awsdns-09.com. lostoncampus.com.au. 172800 IN NS ns-924.awsdns-51.net.
;; Query time: 126 msec ;; SERVER: 205.251.195.156#53(205.251.195.156) ;; WHEN: Sat Aug 27 09:40:29 EST 2016 ;; MSG SIZE rcvd: 248
%
What you should see is something like the following. Note the version field is zero (0) and the rcode (status) field is BADVERS. This response does show a protocol error: AD should not be set in this response as there is no authenticated data.
% dig . @a.root-servers.net +edns=1 +noednsneg soa
; <<>> DiG 9.11.0rc1 <<>> . @a.root-servers.net +edns=1 +noednsneg soa ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: BADVERS, id: 22570 ;; flags: qr rd ad; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; Query time: 438 msec ;; SERVER: 2001:503:ba3e::2:30#53(2001:503:ba3e::2:30) ;; WHEN: Sat Aug 27 09:34:32 EST 2016 ;; MSG SIZE rcvd: 23
%
Amazon are not alone here (about 20% of servers fail to respond to EDNS version 1 queries) but they are big player so they should be doing things correctly. See https://ednscomp.isc.org/compliance/alexa-report.html for others serving the Alexa top 1000 that get things wrong there are a lot of you out there. There are also reports for the bottom 1000, .GOV, .AU and the root zone at https://ednscomp.isc.org along with a online compliance checker so others can test their servers. You just need to name a zone and it will work out the rest or you can target individual servers even those not listed in the NS RRset.
There is also a whole series of graphs showing failure trends for different EDNS compliance tests at https://ednscomp.isc.org/compliance/summary.html
Mark
On Aug 23, 2016 6:43 PM, "Mark Andrews" <marka@isc.org> wrote:
I'm curious. What are you trying to achieve by blocking EDNS version negotiation? Is it really too hard to return BADVERS to a EDNS query with version != 0 along with the version of EDNS you support in the version field? Are you deliberately trying to prevent the IETF from deciding to bump the EDNS version in the future? Do you have firewalls that have this behaviour hard coded? Do you even test for RFC compliance?
Mark
lostoncampus.com.au. @205.251.195.156 (ns-924.awsdns-51.net.): dns=ok edns=ok edns1=timeout edns@512=ok ednsopt=ok edns1opt=timeout do=ok ednsflags=ok optlist=ok,nsid,subnet signed=ok ednstcp=ok lostoncampus.com.au. @205.251.192.78 (ns-78.awsdns-09.com.): dns=ok edns=ok edns1=timeout edns@512=ok ednsopt=ok edns1opt=timeout do=ok ednsflags=ok optlist=ok,nsid,subnet signed=ok ednstcp=ok lostoncampus.com.au. @205.251.196.198 (ns-1222.awsdns-24.org.): dns=ok edns=ok edns1=timeout edns@512=ok ednsopt=ok edns1opt=timeout do=ok ednsflags=ok optlist=ok,nsid,subnet signed=ok ednstcp=ok lostoncampus.com.au. @205.251.199.20 (ns-1812.awsdns-34.co.uk.):
dns=ok
edns=ok edns1=timeout edns@512=ok ednsopt=ok edns1opt=timeout do=ok ednsflags=ok optlist=ok,nsid,subnet signed=ok ednstcp=ok
-- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
-- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
My personal favorite broken domain is New York State Thruway folks. https://ednscomp.isc.org/ednscomp/cb652bc112 If you ask for AAAA of www.thruway.ny.gov it is a CNAME to www.wip.thruway.ny.gov and that breaks a number of DNS servers and load balancers, eg: $ host -t aaaa www.wip.thruway.ny.gov ;; reply from unexpected source: 2001:558:100e:4:69:252:66:215#53, expected 2001:558:feed::1#53 ;; reply from unexpected source: 2001:558:100e:4:69:252:66:215#53, expected 2001:558:feed::1#53 Waiting for the timeouts to occur or trying to get a robust response via TCP is problematic at best. DNS works really well despite much of the damage from firewall vendors and ill informed consultants. - Jared
On Aug 26, 2016, at 7:54 PM, Josh Reynolds <josh@kyneticwifi.com> wrote:
Excellent info, thank you Mark.
On Aug 26, 2016 6:53 PM, "Mark Andrews" <marka@isc.org> wrote:
In message <CAC6=tfYnPX2pGCNNjaeV+yVENypMFqf02JmD58fgJExQfZku_Q@ mail.gmail.com>, Josh Reynolds writes:
Just looking at the RFC... ----- VERSION Indicates the implementation level of the setter. Full
conformance
with this specification is indicated by version '0'. Requestors are encouraged to set this to the lowest implemented level capable of expressing a transaction, to minimise the responder and network load of discovering the greatest common implementation level between requestor and responder. A requestor's version numbering strategy MAY ideally be a run-time configuration option. If a responder does not implement the VERSION level of the request, then it MUST respond with RCODE=BADVERS. All responses MUST be limited in format to the VERSION level of the request, but the VERSION of each response SHOULD be the highest implementation level of the responder. In this way, a requestor will learn the implementation level of a responder as a side effect of every response, including error responses and including RCODE=BADVERS. ----- What am I missing, based on your output?
The servers do not RESPOND to EDNS version != 0 queries. The following sends a EDNS version 1 query and tells dig not to complete the EDNS version negotiation so you can see the BADVERS response.
% dig lostoncampus.com.au. @205.251.195.156 +edns=1 +noednsneg soa
; <<>> DiG 9.11.0rc1 <<>> lostoncampus.com.au. @205.251.195.156 +edns=1 +noednsneg soa ;; global options: +cmd ;; connection timed out; no servers could be reached %
A EDNS version 0 query to show reachability and that EDNS is supported.
% dig lostoncampus.com.au. @205.251.195.156 +edns=0 +noednsneg soa
; <<>> DiG 9.11.0rc1 <<>> lostoncampus.com.au. @205.251.195.156 +edns=0 +noednsneg soa ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63224 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 1 ;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;lostoncampus.com.au. IN SOA
;; ANSWER SECTION: lostoncampus.com.au. 900 IN SOA ns-1222.awsdns-24.org. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400
;; AUTHORITY SECTION: lostoncampus.com.au. 172800 IN NS ns-1222.awsdns-24.org. lostoncampus.com.au. 172800 IN NS ns-1812.awsdns-34.co.uk. lostoncampus.com.au. 172800 IN NS ns-78.awsdns-09.com. lostoncampus.com.au. 172800 IN NS ns-924.awsdns-51.net.
;; Query time: 126 msec ;; SERVER: 205.251.195.156#53(205.251.195.156) ;; WHEN: Sat Aug 27 09:40:29 EST 2016 ;; MSG SIZE rcvd: 248
%
What you should see is something like the following. Note the version field is zero (0) and the rcode (status) field is BADVERS. This response does show a protocol error: AD should not be set in this response as there is no authenticated data.
% dig . @a.root-servers.net +edns=1 +noednsneg soa
; <<>> DiG 9.11.0rc1 <<>> . @a.root-servers.net +edns=1 +noednsneg soa ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: BADVERS, id: 22570 ;; flags: qr rd ad; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; Query time: 438 msec ;; SERVER: 2001:503:ba3e::2:30#53(2001:503:ba3e::2:30) ;; WHEN: Sat Aug 27 09:34:32 EST 2016 ;; MSG SIZE rcvd: 23
%
Amazon are not alone here (about 20% of servers fail to respond to EDNS version 1 queries) but they are big player so they should be doing things correctly. See https://ednscomp.isc.org/compliance/alexa-report.html for others serving the Alexa top 1000 that get things wrong there are a lot of you out there. There are also reports for the bottom 1000, .GOV, .AU and the root zone at https://ednscomp.isc.org along with a online compliance checker so others can test their servers. You just need to name a zone and it will work out the rest or you can target individual servers even those not listed in the NS RRset.
There is also a whole series of graphs showing failure trends for different EDNS compliance tests at https://ednscomp.isc.org/compliance/summary.html
Mark
On Aug 23, 2016 6:43 PM, "Mark Andrews" <marka@isc.org> wrote:
I'm curious. What are you trying to achieve by blocking EDNS version negotiation? Is it really too hard to return BADVERS to a EDNS query with version != 0 along with the version of EDNS you support in the version field? Are you deliberately trying to prevent the IETF from deciding to bump the EDNS version in the future? Do you have firewalls that have this behaviour hard coded? Do you even test for RFC compliance?
Mark
lostoncampus.com.au. @205.251.195.156 (ns-924.awsdns-51.net.): dns=ok edns=ok edns1=timeout edns@512=ok ednsopt=ok edns1opt=timeout do=ok ednsflags=ok optlist=ok,nsid,subnet signed=ok ednstcp=ok lostoncampus.com.au. @205.251.192.78 (ns-78.awsdns-09.com.): dns=ok edns=ok edns1=timeout edns@512=ok ednsopt=ok edns1opt=timeout do=ok ednsflags=ok optlist=ok,nsid,subnet signed=ok ednstcp=ok lostoncampus.com.au. @205.251.196.198 (ns-1222.awsdns-24.org.): dns=ok edns=ok edns1=timeout edns@512=ok ednsopt=ok edns1opt=timeout do=ok ednsflags=ok optlist=ok,nsid,subnet signed=ok ednstcp=ok lostoncampus.com.au. @205.251.199.20 (ns-1812.awsdns-34.co.uk.):
dns=ok
edns=ok edns1=timeout edns@512=ok ednsopt=ok edns1opt=timeout do=ok ednsflags=ok optlist=ok,nsid,subnet signed=ok ednstcp=ok
-- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
-- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
In message <A7ED985B-B1B4-48C6-93B8-2CC969935D34@puck.nether.net>, Jared Mauch writes:
My personal favorite broken domain is New York State Thruway folks.
https://ednscomp.isc.org/ednscomp/cb652bc112
If you ask for AAAA of www.thruway.ny.gov it is a CNAME to = www.wip.thruway.ny.gov and that breaks a number of DNS servers and load balancers, eg:
$ host -t aaaa www.wip.thruway.ny.gov ;; reply from unexpected source: 2001:558:100e:4:69:252:66:215#53, = expected 2001:558:feed::1#53 ;; reply from unexpected source: 2001:558:100e:4:69:252:66:215#53, = expected 2001:558:feed::1#53
Waiting for the timeouts to occur or trying to get a robust response via = TCP is problematic at best.
DNS works really well despite much of the damage from firewall vendors = and ill informed consultants.
- Jared
Your tax payer dollars at work. It you are a resident of NY state go complain to your state representatives. Which bureaucrat signed off on the purchase of this piece of garbage. Load balancers need to answer all query types. % dig www.wip.thruway.ny.gov @lc1.thruway.ny.gov ; <<>> DiG 9.11.0rc1 <<>> www.wip.thruway.ny.gov @lc1.thruway.ny.gov ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59670 ;; flags: qr aa rd ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;www.wip.thruway.ny.gov. IN A ;; ANSWER SECTION: www.wip.thruway.ny.gov. 30 IN A 66.192.38.208 ;; Query time: 394 msec ;; SERVER: 161.11.122.60#53(161.11.122.60) ;; WHEN: Sat Aug 27 12:28:56 EST 2016 ;; MSG SIZE rcvd: 56 % dig www.wip.thruway.ny.gov @lc1.thruway.ny.gov aaaa ; <<>> DiG 9.11.0rc1 <<>> www.wip.thruway.ny.gov @lc1.thruway.ny.gov aaaa ;; global options: +cmd ;; connection timed out; no servers could be reached %
On Aug 26, 2016, at 7:54 PM, Josh Reynolds <josh@kyneticwifi.com> = wrote: =20 Excellent info, thank you Mark. =20 On Aug 26, 2016 6:53 PM, "Mark Andrews" <marka@isc.org> wrote: =20
=20 Just looking at the RFC... ----- VERSION Indicates the implementation level of the setter. Full conformance with this specification is indicated by version '0'. Requestors are encouraged to set this to the lowest implemented level capable of expressing a transaction, to minimise the responder and network load = of discovering the greatest common implementation level between = requestor and responder. A requestor's version numbering strategy MAY ideally be a run-time configuration option. If a responder does not implement the VERSION level of the request, then it MUST respond with = RCODE=3DBADVERS. All responses MUST be limited in format to the VERSION level of the = request, but the VERSION of each response SHOULD be the highest = implementation level of the responder. In this way, a requestor will learn the = implementation level of a responder as a side effect of every response, including = error responses and including RCODE=3DBADVERS. ----- What am I missing, based on your output? =20 The servers do not RESPOND to EDNS version !=3D 0 queries. The = following sends a EDNS version 1 query and tells dig not to complete the EDNS = version negotiation so you can see the BADVERS response. =20 % dig lostoncampus.com.au. @205.251.195.156 +edns=3D1 +noednsneg soa =20 ; <<>> DiG 9.11.0rc1 <<>> lostoncampus.com.au. @205.251.195.156 = +edns=3D1 +noednsneg soa ;; global options: +cmd ;; connection timed out; no servers could be reached % =20 A EDNS version 0 query to show reachability and that EDNS is = supported. =20 % dig lostoncampus.com.au. @205.251.195.156 +edns=3D0 +noednsneg soa =20 ; <<>> DiG 9.11.0rc1 <<>> lostoncampus.com.au. @205.251.195.156 = +edns=3D0 +noednsneg soa ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63224 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 1 ;; WARNING: recursion requested but not available =20 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;lostoncampus.com.au. IN SOA =20 ;; ANSWER SECTION: lostoncampus.com.au. 900 IN SOA = ns-1222.awsdns-24.org. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400 =20 ;; AUTHORITY SECTION: lostoncampus.com.au. 172800 IN NS = ns-1222.awsdns-24.org. lostoncampus.com.au. 172800 IN NS = ns-1812.awsdns-34.co.uk. lostoncampus.com.au. 172800 IN NS ns-78.awsdns-09.com. lostoncampus.com.au. 172800 IN NS ns-924.awsdns-51.net. =20 ;; Query time: 126 msec ;; SERVER: 205.251.195.156#53(205.251.195.156) ;; WHEN: Sat Aug 27 09:40:29 EST 2016 ;; MSG SIZE rcvd: 248 =20 % =20 What you should see is something like the following. Note the version field is zero (0) and the rcode (status) field is BADVERS. This response does show a protocol error: AD should not be set in
=20 In message <CAC6=3DtfYnPX2pGCNNjaeV+yVENypMFqf02JmD58fgJExQfZku_Q@ mail.gmail.com>, Josh Reynolds writes: this response as there is no authenticated data. =20 % dig . @a.root-servers.net +edns=3D1 +noednsneg soa =20 ; <<>> DiG 9.11.0rc1 <<>> . @a.root-servers.net +edns=3D1 +noednsneg = soa ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: BADVERS, id: 22570 ;; flags: qr rd ad; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available =20 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; Query time: 438 msec ;; SERVER: 2001:503:ba3e::2:30#53(2001:503:ba3e::2:30) ;; WHEN: Sat Aug 27 09:34:32 EST 2016 ;; MSG SIZE rcvd: 23 =20 % =20 Amazon are not alone here (about 20% of servers fail to respond to EDNS version 1 queries) but they are big player so they should be doing things correctly. See https://ednscomp.isc.org/compliance/alexa-report.html for others serving the Alexa top 1000 that get things wrong there are a lot of you out there. There are also reports for the bottom 1000, .GOV, .AU and the root zone at https://ednscomp.isc.org along with a online compliance checker so others can test their servers. You just need to name a zone and it will work out the rest or you can target individual servers even those not listed in the NS RRset. =20 There is also a whole series of graphs showing failure trends for different EDNS compliance tests at https://ednscomp.isc.org/compliance/summary.html =20 Mark =20
On Aug 23, 2016 6:43 PM, "Mark Andrews" <marka@isc.org> wrote: =20
=20 I'm curious. What are you trying to achieve by blocking EDNS = version negotiation? Is it really too hard to return BADVERS to a EDNS query with version !=3D 0 along with the version of EDNS you = support in the version field? Are you deliberately trying to prevent the IETF from deciding to bump the EDNS version in the future? Do you have firewalls that have this behaviour hard coded? Do you even test for RFC compliance? =20 Mark =20 lostoncampus.com.au. @205.251.195.156 (ns-924.awsdns-51.net.): = dns=3Dok edns=3Dok edns1=3Dtimeout edns@512=3Dok ednsopt=3Dok = edns1opt=3Dtimeout do=3Dok ednsflags=3Dok optlist=3Dok,nsid,subnet signed=3Dok ednstcp=3Dok lostoncampus.com.au. @205.251.192.78 (ns-78.awsdns-09.com.): dns=3Dok=
edns=3Dok edns1=3Dtimeout edns@512=3Dok ednsopt=3Dok = edns1opt=3Dtimeout do=3Dok ednsflags=3Dok optlist=3Dok,nsid,subnet signed=3Dok ednstcp=3Dok lostoncampus.com.au. @205.251.196.198 (ns-1222.awsdns-24.org.): = dns=3Dok edns=3Dok edns1=3Dtimeout edns@512=3Dok ednsopt=3Dok = edns1opt=3Dtimeout do=3Dok ednsflags=3Dok optlist=3Dok,nsid,subnet signed=3Dok ednstcp=3Dok lostoncampus.com.au. @205.251.199.20 (ns-1812.awsdns-34.co.uk.): dns=3Dok edns=3Dok edns1=3Dtimeout edns@512=3Dok ednsopt=3Dok = edns1opt=3Dtimeout do=3Dok ednsflags=3Dok optlist=3Dok,nsid,subnet signed=3Dok ednstcp=3Dok =20 -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org =20 =20 -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org =20
-- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
If you ask for AAAA of www.thruway.ny.gov it is a CNAME to = www.wip.thruway.ny.gov and that breaks a number of DNS servers and load balancers, eg:
Your tax payer dollars at work.
Naah. The Thruway is supported by user fees, no taxes involved. I will agree they have a couple of pretty braindead nameservers, though. R's, John
In message <20160823233710.8DC3A5206AD7@rock.dv.isc.org>, Mark Andrews writes:
I'm curious. What are you trying to achieve by blocking EDNS version negotiation? Is it really too hard to return BADVERS to a EDNS query with version != 0 along with the version of EDNS you support in the version field? Are you deliberately trying to prevent the IETF from deciding to bump the EDNS version in the future? Do you have firewalls that have this behaviour hard coded? Do you even test for RFC compliance?
Mark
lostoncampus.com.au. @205.251.195.156 (ns-924.awsdns-51.net.): dns=ok edns=ok edns1=timeout edns@512=ok ednsopt=ok edns1opt=timeout do=ok ednsflags=ok opt list=ok,nsid,subnet signed=ok ednstcp=ok lostoncampus.com.au. @205.251.192.78 (ns-78.awsdns-09.com.): dns=ok edns=ok e dns1=timeout edns@512=ok ednsopt=ok edns1opt=timeout do=ok ednsflags=ok optli st=ok,nsid,subnet signed=ok ednstcp=ok lostoncampus.com.au. @205.251.196.198 (ns-1222.awsdns-24.org.): dns=ok edns=o k edns1=timeout edns@512=ok ednsopt=ok edns1opt=timeout do=ok ednsflags=ok op tlist=ok,nsid,subnet signed=ok ednstcp=ok lostoncampus.com.au. @205.251.199.20 (ns-1812.awsdns-34.co.uk.): dns=ok edns= ok edns1=timeout edns@512=ok ednsopt=ok edns1opt=timeout do=ok ednsflags=ok o ptlist=ok,nsid,subnet signed=ok ednstcp=ok
-- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
Amazon are updating their servers/firewalls so they no longer timeout. They still need to return a EDNS response but it is a step in the right direction. Thanks for improving the situation. It makes for some dramatic changes in the EDNS(1) and EDNS(1) + Unknown EDNS option failure mode and response graphs at https://ednscomp.isc.org/compliance/summary.html Mark % dig soa lostoncampus.com.au @205.251.195.156 +edns=1 +noednsneg +norec ; <<>> DiG 9.11.0rc1 <<>> soa lostoncampus.com.au @205.251.195.156 +edns=1 +noednsneg +norec ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52640 ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 0 ;; QUESTION SECTION: ;lostoncampus.com.au. IN SOA ;; ANSWER SECTION: lostoncampus.com.au. 900 IN SOA ns-1222.awsdns-24.org. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400 ;; AUTHORITY SECTION: lostoncampus.com.au. 172800 IN NS ns-1222.awsdns-24.org. lostoncampus.com.au. 172800 IN NS ns-1812.awsdns-34.co.uk. lostoncampus.com.au. 172800 IN NS ns-78.awsdns-09.com. lostoncampus.com.au. 172800 IN NS ns-924.awsdns-51.net. ;; Query time: 132 msec ;; SERVER: 205.251.195.156#53(205.251.195.156) ;; WHEN: Thu Sep 15 10:09:42 EST 2016 ;; MSG SIZE rcvd: 237 % Checking: 'lostoncampus.com.au' as at 2016-09-15T00:07:37Z lostoncampus.com.au @205.251.196.198 (ns-1222.awsdns-24.org.): dns=ok edns=ok edns1=status,noopt,soa edns@512=ok ednsopt=ok edns1opt=status,noopt,soa do=ok ednsflags=ok edns@512tcp=ok optlist=nsid,subnet lostoncampus.com.au @205.251.199.20 (ns-1812.awsdns-34.co.uk.): dns=ok edns=ok edns1=status,noopt,soa edns@512=ok ednsopt=ok edns1opt=status,noopt,soa do=ok ednsflags=ok edns@512tcp=ok optlist=nsid,subnet lostoncampus.com.au @205.251.192.78 (ns-78.awsdns-09.com.): dns=ok edns=ok edns1=timeout edns@512=ok ednsopt=ok edns1opt=timeout do=ok ednsflags=ok edns@512tcp=ok optlist=nsid,subnet lostoncampus.com.au @205.251.195.156 (ns-924.awsdns-51.net.): dns=ok edns=ok edns1=status,noopt,soa edns@512=ok ednsopt=ok edns1opt=status,noopt,soa do=ok ednsflags=ok edns@512tcp=ok optlist=nsid,subnet The Following Tests Failed EDNS - Unknown Version Handling (edns1) dig +nocookie +norec +noad +edns=1 +noednsneg soa zone @server expect: BADVERS expect: OPT record with version set to 0 expect: not to see SOA See RFC6891, 6.1.3. OPT Record TTL Field Use EDNS - Unknown Version with Unknown Option Handling (edns1opt) dig +nocookie +norec +noad +edns=1 +noednsneg +ednsopt=100 soa zone @server expect: BADVERS expect: OPT record with version set to 0 expect: not to see SOA expect: that the option will not be present in response See RFC6891 Codes ok - test passed. nsid - NSID supported. subnet - EDNS Client Subnet supported. soa - SOA record found when not expected. noopt - OPT record not found when expected. status - expected rcode status code not found. timeout - lookup timed out. To retrieve this report in the future: https://ednscomp.isc.org/ednscomp/0e5c781801 -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
participants (5)
-
g@1337.io
-
Jared Mauch
-
John Levine
-
Josh Reynolds
-
Mark Andrews