nanog mailing list archives

Re: pay.gov and IPv6

From: Mark Andrews <marka () isc org>
Date: Sat, 19 Nov 2016 07:58:51 +1100


In message <87twb4slol.fsf () mid deneb enyo de>, Florian Weimer writes:

* Mark Andrews:

The DNSSEC testing is also insufficient.  9-11commission.gov shows
green for example but if you use DNS COOKIES (which BIND 9.10.4 and
BIND 9.11.0 do) then servers barf and return BADVERS and validation
fails.  QWEST you have been informed of this already.

Why the hell should validating resolver have to work around the
crap you guys are using?


The protocol doesn't have proper version negotation, and again and
again, implementers have tried to force backwards-incompatible
implementations on the Internet at large.


The servers talk EDNS.  They server signed zones which require EDNS
support.  These are EDNS version 0 queries.  BADVERS is the response
code for when you receive a EDNS version field higher than the one
you implement and it requires that you use EDNS to send the rcode.

The query has a EDNS version field of 0.  The response has a EDNS
version field of 0.  The response has a rcode of BADVERS.

Yes, the behaviour of how to handle unknown options was clarified
in RFC 6891.  With RFC 2671 nameserver developer had a choice to
make

* BADVERS was never a sensible response however.  BADVERS had explict
  instructions for when it should be sent and they didn't include "if
  there is a EDNS option you don't understand return BADVERS".  If you
  thought the version field was wrong then that made it a malformed
  request which should elicit a FORMERR.

* FORMERR also wasn't a good idea.  RFC 2671 didn't say that no
  options could be added to a EDNS version 1 query but I can see if
  you thought EDNS version 0 was not allowed to have EDNS options
  that it could be seen as a malformed record.  Unless you know the
  format of the option you can't sensibly return FORMERR on it.

* NOTIMP would have made sense before RFC 6891 was published but we never
  saw a implementation that did this.

* Echoing back the option made some sense, though sending a option that
  you don't understand is risky.

* Ignoring the option also made sense.  This is what RFC 6891 says
  to do and matches the unknown EDNS flags behaviour.

* Ask the working group / IETF.

I wouldn't be complaining about it if they were only supporting
plain DNS.  You can tell the difference between a server that
supports EDNS and one that doesn't.  They behave differently.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka () isc org

Current thread:

Re: pay.gov and IPv6, (continued)
- - - Re: pay.gov and IPv6 Carl Byington (Nov 18)
    - Re: pay.gov and IPv6 JORDI PALET MARTINEZ (Nov 18)
    - Re: pay.gov and IPv6 JORDI PALET MARTINEZ (Nov 20)
    - Re: pay.gov and IPv6 Carl Byington (Nov 20)
    - Re: pay.gov and IPv6 Mark Andrews (Nov 20)
    - Re: pay.gov and IPv6 Carl Byington (Nov 20)
    - Re: pay.gov and IPv6 JORDI PALET MARTINEZ (Nov 20)
    - Re: pay.gov and IPv6 joel jaeggli (Nov 21)
    - Re: pay.gov and IPv6 Sean Donelan (Nov 18)
    - Re: pay.gov and IPv6 Florian Weimer (Nov 18)
    - Re: pay.gov and IPv6 Mark Andrews (Nov 18)
  - Re: pay.gov and IPv6 Jared Mauch (Nov 16)
  - Re: pay.gov and IPv6 JORDI PALET MARTINEZ (Nov 16)