nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Can someone from Amazon please answer.

From: Mark Andrews <marka () isc org>
Date: Thu, 15 Sep 2016 10:15:16 +1000

In message <20160823233710.8DC3A5206AD7 () rock dv isc org>, Mark Andrews writes:


I'm curious.  What are you trying to achieve by blocking EDNS version
negotiation?  Is it really too hard to return BADVERS to a EDNS
query with version != 0 along with the version of EDNS you support
in the version field?  Are you deliberately trying to prevent the
IETF from deciding to bump the EDNS version in the future?  Do you
have firewalls that have this behaviour hard coded?  Do you even
test for RFC compliance?

Mark

lostoncampus.com.au. @205.251.195.156 (ns-924.awsdns-51.net.): dns=ok edns=ok
 edns1=timeout edns@512=ok ednsopt=ok edns1opt=timeout do=ok ednsflags=ok opt
list=ok,nsid,subnet signed=ok ednstcp=ok
lostoncampus.com.au. @205.251.192.78 (ns-78.awsdns-09.com.): dns=ok edns=ok e
dns1=timeout edns@512=ok ednsopt=ok edns1opt=timeout do=ok ednsflags=ok optli
st=ok,nsid,subnet signed=ok ednstcp=ok
lostoncampus.com.au. @205.251.196.198 (ns-1222.awsdns-24.org.): dns=ok edns=o
k edns1=timeout edns@512=ok ednsopt=ok edns1opt=timeout do=ok ednsflags=ok op
tlist=ok,nsid,subnet signed=ok ednstcp=ok
lostoncampus.com.au. @205.251.199.20 (ns-1812.awsdns-34.co.uk.): dns=ok edns=
ok edns1=timeout edns@512=ok ednsopt=ok edns1opt=timeout do=ok ednsflags=ok o
ptlist=ok,nsid,subnet signed=ok ednstcp=ok

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE:        +61 2 9871 4742                  INTERNET: marka () isc org


Amazon are updating their servers/firewalls so they no longer
timeout.  They still need to return a EDNS response but it is a
step in the right direction.

Thanks for improving the situation.

It makes for some dramatic changes in the EDNS(1) and EDNS(1) +
Unknown EDNS option failure mode and response graphs at
https://ednscomp.isc.org/compliance/summary.html


Mark

% dig soa lostoncampus.com.au @205.251.195.156 +edns=1 +noednsneg +norec

; <<>> DiG 9.11.0rc1 <<>> soa lostoncampus.com.au @205.251.195.156 +edns=1 +noednsneg +norec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52640
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 0

;; QUESTION SECTION:
;lostoncampus.com.au.           IN      SOA

;; ANSWER SECTION:
lostoncampus.com.au.    900     IN      SOA     ns-1222.awsdns-24.org. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 
86400

;; AUTHORITY SECTION:
lostoncampus.com.au.    172800  IN      NS      ns-1222.awsdns-24.org.
lostoncampus.com.au.    172800  IN      NS      ns-1812.awsdns-34.co.uk.
lostoncampus.com.au.    172800  IN      NS      ns-78.awsdns-09.com.
lostoncampus.com.au.    172800  IN      NS      ns-924.awsdns-51.net.

;; Query time: 132 msec
;; SERVER: 205.251.195.156#53(205.251.195.156)
;; WHEN: Thu Sep 15 10:09:42 EST 2016
;; MSG SIZE  rcvd: 237

% 

Checking: 'lostoncampus.com.au' as at 2016-09-15T00:07:37Z

lostoncampus.com.au @205.251.196.198 (ns-1222.awsdns-24.org.): dns=ok edns=ok edns1=status,noopt,soa edns@512=ok 
ednsopt=ok edns1opt=status,noopt,soa do=ok ednsflags=ok edns@512tcp=ok optlist=nsid,subnet
lostoncampus.com.au @205.251.199.20 (ns-1812.awsdns-34.co.uk.): dns=ok edns=ok edns1=status,noopt,soa edns@512=ok 
ednsopt=ok edns1opt=status,noopt,soa do=ok ednsflags=ok edns@512tcp=ok optlist=nsid,subnet
lostoncampus.com.au @205.251.192.78 (ns-78.awsdns-09.com.): dns=ok edns=ok edns1=timeout edns@512=ok ednsopt=ok 
edns1opt=timeout do=ok ednsflags=ok edns@512tcp=ok optlist=nsid,subnet
lostoncampus.com.au @205.251.195.156 (ns-924.awsdns-51.net.): dns=ok edns=ok edns1=status,noopt,soa edns@512=ok 
ednsopt=ok edns1opt=status,noopt,soa do=ok ednsflags=ok edns@512tcp=ok optlist=nsid,subnet
The Following Tests Failed

EDNS - Unknown Version Handling (edns1)

dig +nocookie +norec +noad +edns=1 +noednsneg soa zone @server
expect: BADVERS
expect: OPT record with version set to 0
expect: not to see SOA
See RFC6891, 6.1.3. OPT Record TTL Field Use

EDNS - Unknown Version with Unknown Option Handling (edns1opt)

dig +nocookie +norec +noad +edns=1 +noednsneg +ednsopt=100 soa zone @server
expect: BADVERS
expect: OPT record with version set to 0
expect: not to see SOA
expect: that the option will not be present in response
See RFC6891

Codes

ok - test passed.
nsid - NSID supported.
subnet - EDNS Client Subnet supported.
soa - SOA record found when not expected.
noopt - OPT record not found when expected.
status - expected rcode status code not found.
timeout - lookup timed out.
To retrieve this report in the future: https://ednscomp.isc.org/ednscomp/0e5c781801



-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka () isc org
Previous By Date Next
Previous By Thread Next

Current thread: