nanog mailing list archives
EDNS compliance of servers for the Alexa Top 1M
From: Mark Andrews <marka () isc org>
Date: Tue, 31 May 2016 16:56:19 +1000
If you are a Alexa Top 1M entry or host the DNS for a Alexa Top 1M entry you should be paying attention. I'm focusing here on unknown EDNS option handling as ISC is about to release a version of named which will exercise these errors in your nameservers. BIND 9.11.0 will ship with EDNS COOKIE enabled by default (RFC 7873) which will appear to be a unknown EDNS option to servers that do not understand it. RFC 6891 states that unknown EDNS options should be ignored but that is not always the case. These answers are all for servers that nominally support EDNS. You can test your servers via https://ednscomp.isc.org Mark 232270 ednsopt=noopt Servers that only respond with a EDNS response if something else is in the EDNS query (DO=1, a known EDNS option e.g. ECS or NSID present). 220083 ednsopt=timeout The firewall is dropping queries with EDNS options present. THIS WILL CAUSE INTERMITTENT LOOKUP FAILURES. This stupidity needs to be fixed along with dropping queries due to unknown EDNS versions, unknown EDNS/DNS flags and unknown query types. 64945 ednsopt=formerr,echoed,nosoa Failed to ignore the EDNS option. This results in EDNS being disabled for the server and additional queries being made. If it is serving a signed zone this may result in PERMANENT lookup failures if all the available servers for the zone exibit this error. 30917 ednsopt=echoed This is a benign failure for DNS COOKIES but could result in errors for other options. 2142 ednsopt=noopt,nosoa This is similar to ednsopt=noopt but no SOA record was returned which may result in answers being treated as NOERROR,NODATA when they shouldn't be. 1490 ednsopt=nosoa No SOA record was returned which may result in answers being treated as NOERROR,NODATA when they shouldn't be. 774 ednsopt=badvers,nosoa BADVERS is supposed to be for EDNS version negotiation. Named will treat the server as not supporting EDNS. This results in additional queries being made. If it is serving a signed zone this may result in PERMANENT lookup failures if all the available servers for the zone exibit this error. 106 ednsopt=echoed,nosoa No SOA record was returned which may result in answers being treated as NOERROR,NODATA when they shouldn't be. The echoed EDNS option is benign for DNS COOKIES but could result in errors for other options. 93 ednsopt=servfail,noopt,nosoa Possible a false positive due to the plain DNS query timing out or the server returning SERVFAIL. If the later this is unrecoverable and will result in lookup failures. 69 ednsopt=badversion Absolutely bizarre response as the EDNS version was non 0. Probably a proxy which is not EDNS version aware. 68 ednsopt=status,nosoa Unknown RCODE returned. 54 ednsopt=badversion,echoed Absolutely bizarre response as the EDNS version was non 0. Probably a proxy which is not EDNS version aware. 20 ednsopt=refused,nosoa Possible a false positive due to the plain DNS query timing out or the server returning REFUSED. If the later this is unrecoverable and will result in lookup failures. 14 ednsopt=status,noopt,nosoa Unknown RCODE returned. 14 ednsopt=formerr,nosoa This is similar to ednsopt=formerr,echoed,nosoa above. 13 ednsopt=nxdomain Possible a false positive due to the plain DNS query timing out or the server returning NXDOMAIN. If the later this is unrecoverable and will result in lookup failures. 9 ednsopt=servfail,nosoa This is similar to ednsopt=servfail,echoed,nosoa above. 6 ednsopt=formerr,echoed This is similar to ednsopt=formerr,echoed,nosoa above. 3 ednsopt=nxdomain,echoed,nosoa 2 ednsopt=nxdomain,noopt 1 ednsopt=refused,noopt,nosoa 1 ednsopt=formerr,badversion,echoed,nosoa -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka () isc org
Current thread:
- EDNS compliance of servers for the Alexa Top 1M Mark Andrews (May 30)