nanog mailing list archives
QWEST you have broken DNS servers
From: Mark Andrews <marka () isc org>
Date: Tue, 11 Sep 2018 16:30:40 +1000
I know it takes some time to upgrade DNS servers to ones that are actually
protocol compliant but 4+ years is ridiculous. Your servers are the only
ones serving the Alexa top 1M sites or the GOV zone that still return BADVERS
to EDNS queries with a EDNS option present. This was behaviour made up by
your DNS vendor. The correct response to EDNS options that are not understood
is to IGNORE them. This allows clients and servers to deploy support for
new options independently of each other.
Additionally this is breaking DNSSEC validation of the signed zones your clients
have you serving. They expect you to be using EDNS compliant name servers for
this role which you are not. No, we are not working around this breakage in the
resolver.
Mark
% dig soa frc.gov. @208.44.130.121 +norec
; <<>> DiG 9.12.1 <<>> soa frc.gov. @208.44.130.121 +norec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: BADVERS, id: 59707
;; flags: qr ad; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; Query time: 66 msec
;; SERVER: 208.44.130.121#53(208.44.130.121)
;; WHEN: Tue Sep 11 06:08:41 UTC 2018
;; MSG SIZE rcvd: 23
% dig soa frc.gov. @208.44.130.121 +norec +nocookie
; <<>> DiG 9.12.1 <<>> soa frc.gov. @208.44.130.121 +norec +nocookie
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16876
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;frc.gov. IN SOA
;; ANSWER SECTION:
frc.gov. 86400 IN SOA sauthns2.qwest.net. dns-admin.qwestip.net. 2180320527 10800 3600 604800
86400
;; AUTHORITY SECTION:
frc.gov. 86400 IN NS sauthns1.qwest.net.
frc.gov. 86400 IN NS sauthns2.qwest.net.
;; Query time: 66 msec
;; SERVER: 208.44.130.121#53(208.44.130.121)
;; WHEN: Tue Sep 11 06:19:33 UTC 2018
;; MSG SIZE rcvd: 145
% grep ednsopt=badvers reports/alexa1m.2018-08-26T00:00:06Z | grep edns=ok | awk '{print $3}' | sort -u
(sauthns1.qwest.net.):
(sauthns2.qwest.net.):
% grep ednsopt=badvers reports-full/gov-full.2018-09-11T00:00:06Z | grep edns=ok | awk '{print $3}' | sort -u
(sauthns1.qwest.net.):
(sauthns2.qwest.net.):
%
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka () isc org
Current thread:
- QWEST you have broken DNS servers Mark Andrews (Sep 10)
- Re: QWEST you have broken DNS servers Anne P. Mitchell, Esq. (Sep 12)
- Re: QWEST you have broken DNS servers Mark Andrews (Sep 12)
- Re: QWEST you have broken DNS servers Anne P. Mitchell, Esq. (Sep 14)
- Re: QWEST you have broken DNS servers Mark Andrews (Sep 12)
- Re: QWEST you have broken DNS servers Anne P. Mitchell, Esq. (Sep 12)