QWEST you have broken DNS servers
I know it takes some time to upgrade DNS servers to ones that are actually protocol compliant but 4+ years is ridiculous. Your servers are the only ones serving the Alexa top 1M sites or the GOV zone that still return BADVERS to EDNS queries with a EDNS option present. This was behaviour made up by your DNS vendor. The correct response to EDNS options that are not understood is to IGNORE them. This allows clients and servers to deploy support for new options independently of each other. Additionally this is breaking DNSSEC validation of the signed zones your clients have you serving. They expect you to be using EDNS compliant name servers for this role which you are not. No, we are not working around this breakage in the resolver. Mark % dig soa frc.gov. @208.44.130.121 +norec ; <<>> DiG 9.12.1 <<>> soa frc.gov. @208.44.130.121 +norec ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: BADVERS, id: 59707 ;; flags: qr ad; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; Query time: 66 msec ;; SERVER: 208.44.130.121#53(208.44.130.121) ;; WHEN: Tue Sep 11 06:08:41 UTC 2018 ;; MSG SIZE rcvd: 23 % dig soa frc.gov. @208.44.130.121 +norec +nocookie ; <<>> DiG 9.12.1 <<>> soa frc.gov. @208.44.130.121 +norec +nocookie ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16876 ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;frc.gov. IN SOA ;; ANSWER SECTION: frc.gov. 86400 IN SOA sauthns2.qwest.net. dns-admin.qwestip.net. 2180320527 10800 3600 604800 86400 ;; AUTHORITY SECTION: frc.gov. 86400 IN NS sauthns1.qwest.net. frc.gov. 86400 IN NS sauthns2.qwest.net. ;; Query time: 66 msec ;; SERVER: 208.44.130.121#53(208.44.130.121) ;; WHEN: Tue Sep 11 06:19:33 UTC 2018 ;; MSG SIZE rcvd: 145 % grep ednsopt=badvers reports/alexa1m.2018-08-26T00:00:06Z | grep edns=ok | awk '{print $3}' | sort -u (sauthns1.qwest.net.): (sauthns2.qwest.net.): % grep ednsopt=badvers reports-full/gov-full.2018-09-11T00:00:06Z | grep edns=ok | awk '{print $3}' | sort -u (sauthns1.qwest.net.): (sauthns2.qwest.net.): % -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
Would you like us to send this to our Qwest/CenturyLink contact? Anne P. Mitchell, Attorney at Law GDPR, CCPA (CA) & CCDPA (CO) Compliance Consultant Author: Section 6 of the CAN-SPAM Act of 2003 (the Federal anti-spam law) Legislative Consultant CEO/President, Institute for Social Internet Public Policy Legal Counsel: The CyberGreen Institute Legal Counsel: The Earth Law Center Member, California Bar Association Member, Cal. Bar Cyberspace Law Committee Member, Colorado Cyber Committee Member, Board of Directors, Asilomar Microcomputer Workshop Ret. Professor of Law, Lincoln Law School of San Jose Ret. Chair, Asilomar Microcomputer Workshop
I know it takes some time to upgrade DNS servers to ones that are actually protocol compliant but 4+ years is ridiculous. Your servers are the only ones serving the Alexa top 1M sites or the GOV zone that still return BADVERS to EDNS queries with a EDNS option present. This was behaviour made up by your DNS vendor. The correct response to EDNS options that are not understood is to IGNORE them. This allows clients and servers to deploy support for new options independently of each other.
Additionally this is breaking DNSSEC validation of the signed zones your clients have you serving. They expect you to be using EDNS compliant name servers for this role which you are not. No, we are not working around this breakage in the resolver.
Mark
% dig soa frc.gov. @208.44.130.121 +norec
; <<>> DiG 9.12.1 <<>> soa frc.gov. @208.44.130.121 +norec ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: BADVERS, id: 59707 ;; flags: qr ad; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; Query time: 66 msec ;; SERVER: 208.44.130.121#53(208.44.130.121) ;; WHEN: Tue Sep 11 06:08:41 UTC 2018 ;; MSG SIZE rcvd: 23
% dig soa frc.gov. @208.44.130.121 +norec +nocookie
; <<>> DiG 9.12.1 <<>> soa frc.gov. @208.44.130.121 +norec +nocookie ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16876 ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;frc.gov. IN SOA
;; ANSWER SECTION: frc.gov. 86400 IN SOA sauthns2.qwest.net. dns-admin.qwestip.net. 2180320527 10800 3600 604800 86400
;; AUTHORITY SECTION: frc.gov. 86400 IN NS sauthns1.qwest.net. frc.gov. 86400 IN NS sauthns2.qwest.net.
;; Query time: 66 msec ;; SERVER: 208.44.130.121#53(208.44.130.121) ;; WHEN: Tue Sep 11 06:19:33 UTC 2018 ;; MSG SIZE rcvd: 145
% grep ednsopt=badvers reports/alexa1m.2018-08-26T00:00:06Z | grep edns=ok | awk '{print $3}' | sort -u (sauthns1.qwest.net.): (sauthns2.qwest.net.): % grep ednsopt=badvers reports-full/gov-full.2018-09-11T00:00:06Z | grep edns=ok | awk '{print $3}' | sort -u (sauthns1.qwest.net.): (sauthns2.qwest.net.): %
-- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
Yes please.
On 13 Sep 2018, at 2:45 am, Anne P. Mitchell, Esq. <amitchell@isipp.com> wrote:
Would you like us to send this to our Qwest/CenturyLink contact?
Anne P. Mitchell, Attorney at Law GDPR, CCPA (CA) & CCDPA (CO) Compliance Consultant Author: Section 6 of the CAN-SPAM Act of 2003 (the Federal anti-spam law) Legislative Consultant CEO/President, Institute for Social Internet Public Policy Legal Counsel: The CyberGreen Institute Legal Counsel: The Earth Law Center Member, California Bar Association Member, Cal. Bar Cyberspace Law Committee Member, Colorado Cyber Committee Member, Board of Directors, Asilomar Microcomputer Workshop Ret. Professor of Law, Lincoln Law School of San Jose Ret. Chair, Asilomar Microcomputer Workshop
I know it takes some time to upgrade DNS servers to ones that are actually protocol compliant but 4+ years is ridiculous. Your servers are the only ones serving the Alexa top 1M sites or the GOV zone that still return BADVERS to EDNS queries with a EDNS option present. This was behaviour made up by your DNS vendor. The correct response to EDNS options that are not understood is to IGNORE them. This allows clients and servers to deploy support for new options independently of each other.
Additionally this is breaking DNSSEC validation of the signed zones your clients have you serving. They expect you to be using EDNS compliant name servers for this role which you are not. No, we are not working around this breakage in the resolver.
Mark
% dig soa frc.gov. @208.44.130.121 +norec
; <<>> DiG 9.12.1 <<>> soa frc.gov. @208.44.130.121 +norec ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: BADVERS, id: 59707 ;; flags: qr ad; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; Query time: 66 msec ;; SERVER: 208.44.130.121#53(208.44.130.121) ;; WHEN: Tue Sep 11 06:08:41 UTC 2018 ;; MSG SIZE rcvd: 23
% dig soa frc.gov. @208.44.130.121 +norec +nocookie
; <<>> DiG 9.12.1 <<>> soa frc.gov. @208.44.130.121 +norec +nocookie ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16876 ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;frc.gov. IN SOA
;; ANSWER SECTION: frc.gov. 86400 IN SOA sauthns2.qwest.net. dns-admin.qwestip.net. 2180320527 10800 3600 604800 86400
;; AUTHORITY SECTION: frc.gov. 86400 IN NS sauthns1.qwest.net. frc.gov. 86400 IN NS sauthns2.qwest.net.
;; Query time: 66 msec ;; SERVER: 208.44.130.121#53(208.44.130.121) ;; WHEN: Tue Sep 11 06:19:33 UTC 2018 ;; MSG SIZE rcvd: 145
% grep ednsopt=badvers reports/alexa1m.2018-08-26T00:00:06Z | grep edns=ok | awk '{print $3}' | sort -u (sauthns1.qwest.net.): (sauthns2.qwest.net.): % grep ednsopt=badvers reports-full/gov-full.2018-09-11T00:00:06Z | grep edns=ok | awk '{print $3}' | sort -u (sauthns1.qwest.net.): (sauthns2.qwest.net.): %
-- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
-- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
From Qwest/CL: "we are aware of the issue and expect this to be resolved next month."
Yes please.
On 13 Sep 2018, at 2:45 am, Anne P. Mitchell, Esq. <amitchell@isipp.com> wrote:
Would you like us to send this to our Qwest/CenturyLink contact?
Anne P. Mitchell, Attorney at Law GDPR, CCPA (CA) & CCDPA (CO) Compliance Consultant Author: Section 6 of the CAN-SPAM Act of 2003 (the Federal anti-spam law) Legislative Consultant CEO/President, Institute for Social Internet Public Policy Legal Counsel: The CyberGreen Institute Legal Counsel: The Earth Law Center Member, California Bar Association Member, Cal. Bar Cyberspace Law Committee Member, Colorado Cyber Committee Member, Board of Directors, Asilomar Microcomputer Workshop Ret. Professor of Law, Lincoln Law School of San Jose Ret. Chair, Asilomar Microcomputer Workshop
I know it takes some time to upgrade DNS servers to ones that are actually protocol compliant but 4+ years is ridiculous. Your servers are the only ones serving the Alexa top 1M sites or the GOV zone that still return BADVERS to EDNS queries with a EDNS option present. This was behaviour made up by your DNS vendor. The correct response to EDNS options that are not understood is to IGNORE them. This allows clients and servers to deploy support for new options independently of each other.
Additionally this is breaking DNSSEC validation of the signed zones your clients have you serving. They expect you to be using EDNS compliant name servers for this role which you are not. No, we are not working around this breakage in the resolver.
Mark
% dig soa frc.gov. @208.44.130.121 +norec
; <<>> DiG 9.12.1 <<>> soa frc.gov. @208.44.130.121 +norec ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: BADVERS, id: 59707 ;; flags: qr ad; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; Query time: 66 msec ;; SERVER: 208.44.130.121#53(208.44.130.121) ;; WHEN: Tue Sep 11 06:08:41 UTC 2018 ;; MSG SIZE rcvd: 23
% dig soa frc.gov. @208.44.130.121 +norec +nocookie
; <<>> DiG 9.12.1 <<>> soa frc.gov. @208.44.130.121 +norec +nocookie ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16876 ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;frc.gov. IN SOA
;; ANSWER SECTION: frc.gov. 86400 IN SOA sauthns2.qwest.net. dns-admin.qwestip.net. 2180320527 10800 3600 604800 86400
;; AUTHORITY SECTION: frc.gov. 86400 IN NS sauthns1.qwest.net. frc.gov. 86400 IN NS sauthns2.qwest.net.
;; Query time: 66 msec ;; SERVER: 208.44.130.121#53(208.44.130.121) ;; WHEN: Tue Sep 11 06:19:33 UTC 2018 ;; MSG SIZE rcvd: 145
% grep ednsopt=badvers reports/alexa1m.2018-08-26T00:00:06Z | grep edns=ok | awk '{print $3}' | sort -u (sauthns1.qwest.net.): (sauthns2.qwest.net.): % grep ednsopt=badvers reports-full/gov-full.2018-09-11T00:00:06Z | grep edns=ok | awk '{print $3}' | sort -u (sauthns1.qwest.net.): (sauthns2.qwest.net.): %
-- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
-- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
participants (2)
-
Anne P. Mitchell, Esq. -
Mark Andrews