Re: Can someone from Amazon please answer.

[Mark Andrews <marka () isc org>]

In message <A7ED985B-B1B4-48C6-93B8-2CC969935D34 () puck nether net>, Jared Mauch writes:
> My personal favorite broken domain is New York State Thruway folks.
>
> https://ednscomp.isc.org/ednscomp/cb652bc112
>
> If you ask for AAAA of www.thruway.ny.gov it is a CNAME to =
> www.wip.thruway.ny.gov and that
> breaks a number of DNS servers and load balancers, eg:
>
> $ host -t aaaa www.wip.thruway.ny.gov
> ;; reply from unexpected source: 2001:558:100e:4:69:252:66:215#53, =
> expected 2001:558:feed::1#53
> ;; reply from unexpected source: 2001:558:100e:4:69:252:66:215#53, =
> expected 2001:558:feed::1#53
>
> Waiting for the timeouts to occur or trying to get a robust response via =
> TCP is problematic at best.
>
> DNS works really well despite much of the damage from firewall vendors =
> and ill informed consultants.
>
> - Jared

Your tax payer dollars at work.  It you are a resident of NY state
go complain to your state representatives.  Which bureaucrat signed
off on the purchase of this piece of garbage.  Load balancers need
to answer all query types.

% dig www.wip.thruway.ny.gov @lc1.thruway.ny.gov

; <<>> DiG 9.11.0rc1 <<>> www.wip.thruway.ny.gov @lc1.thruway.ny.gov
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59670
;; flags: qr aa rd ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;www.wip.thruway.ny.gov.                IN      A

;; ANSWER SECTION:
www.wip.thruway.ny.gov. 30      IN      A       66.192.38.208

;; Query time: 394 msec
;; SERVER: 161.11.122.60#53(161.11.122.60)
;; WHEN: Sat Aug 27 12:28:56 EST 2016
;; MSG SIZE  rcvd: 56

% dig www.wip.thruway.ny.gov @lc1.thruway.ny.gov aaaa

; <<>> DiG 9.11.0rc1 <<>> www.wip.thruway.ny.gov @lc1.thruway.ny.gov aaaa
;; global options: +cmd
;; connection timed out; no servers could be reached
% 

> > On Aug 26, 2016, at 7:54 PM, Josh Reynolds <josh () kyneticwifi com> =
> wrote:
> > =20
> > Excellent info, thank you Mark.
> > =20
> > On Aug 26, 2016 6:53 PM, "Mark Andrews" <marka () isc org> wrote:
> > =20
> > > =20
> > > In message <CAC6=3DtfYnPX2pGCNNjaeV+yVENypMFqf02JmD58fgJExQfZku_Q@
> > > mail.gmail.com>, Josh Reynolds writes:
> > > > =20
> > > > Just looking at the RFC...
> > > > -----
> > > > VERSION Indicates the implementation level of the setter. Full
> > > conformance
> > > > with this specification is indicated by version '0'. Requestors are
> > > > encouraged to set this to the lowest implemented level capable of
> > > > expressing a transaction, to minimise the responder and network load =
> of
> > > > discovering the greatest common implementation level between =
> requestor
> > > and
> > > > responder. A requestor's version numbering strategy MAY ideally be a
> > > > run-time configuration option. If a responder does not implement the
> > > > VERSION level of the request, then it MUST respond with =
> RCODE=3DBADVERS.
> > > All
> > > > responses MUST be limited in format to the VERSION level of the =
> request,
> > > > but the VERSION of each response SHOULD be the highest =
> implementation
> > > level
> > > > of the responder. In this way, a requestor will learn the =
> implementation
> > > > level of a responder as a side effect of every response, including =
> error
> > > > responses and including RCODE=3DBADVERS.
> > > > -----
> > > > What am I missing, based on your output?
> > > =20
> > > The servers do not RESPOND to EDNS version !=3D 0 queries.  The =
> following
> > > sends a EDNS version 1 query and tells dig not to complete the EDNS =
> version
> > > negotiation so you can see the BADVERS response.
> > > =20
> > > % dig lostoncampus.com.au. @205.251.195.156 +edns=3D1 +noednsneg soa
> > > =20
> > > ; <<>> DiG 9.11.0rc1 <<>> lostoncampus.com.au. @205.251.195.156 =
> +edns=3D1
> > > +noednsneg soa
> > > ;; global options: +cmd
> > > ;; connection timed out; no servers could be reached
> > > %
> > > =20
> > > A EDNS version 0 query to show reachability and that EDNS is =
> supported.
> > > =20
> > > % dig lostoncampus.com.au. @205.251.195.156 +edns=3D0 +noednsneg soa
> > > =20
> > > ; <<>> DiG 9.11.0rc1 <<>> lostoncampus.com.au. @205.251.195.156 =
> +edns=3D0
> > > +noednsneg soa
> > > ;; global options: +cmd
> > > ;; Got answer:
> > > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63224
> > > ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 1
> > > ;; WARNING: recursion requested but not available
> > > =20
> > > ;; OPT PSEUDOSECTION:
> > > ; EDNS: version: 0, flags:; udp: 4096
> > > ;; QUESTION SECTION:
> > > ;lostoncampus.com.au.           IN      SOA
> > > =20
> > > ;; ANSWER SECTION:
> > > lostoncampus.com.au.    900     IN      SOA     =
> ns-1222.awsdns-24.org.
> > > awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400
> > > =20
> > > ;; AUTHORITY SECTION:
> > > lostoncampus.com.au.    172800  IN      NS      =
> ns-1222.awsdns-24.org.
> > > lostoncampus.com.au.    172800  IN      NS      =
> ns-1812.awsdns-34.co.uk.
> > > lostoncampus.com.au.    172800  IN      NS      ns-78.awsdns-09.com.
> > > lostoncampus.com.au.    172800  IN      NS      ns-924.awsdns-51.net.
> > > =20
> > > ;; Query time: 126 msec
> > > ;; SERVER: 205.251.195.156#53(205.251.195.156)
> > > ;; WHEN: Sat Aug 27 09:40:29 EST 2016
> > > ;; MSG SIZE  rcvd: 248
> > > =20
> > > %
> > > =20
> > > What you should see is something like the following.  Note the
> > > version field is zero (0) and the rcode (status) field is BADVERS.
> > > This response does show a protocol error: AD should not be set in
> > > this response as there is no authenticated data.
> > > =20
> > > % dig . @a.root-servers.net +edns=3D1 +noednsneg soa
> > > =20
> > > ; <<>> DiG 9.11.0rc1 <<>> . @a.root-servers.net +edns=3D1 +noednsneg =
> soa
> > > ;; global options: +cmd
> > > ;; Got answer:
> > > ;; ->>HEADER<<- opcode: QUERY, status: BADVERS, id: 22570
> > > ;; flags: qr rd ad; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
> > > ;; WARNING: recursion requested but not available
> > > =20
> > > ;; OPT PSEUDOSECTION:
> > > ; EDNS: version: 0, flags:; udp: 1232
> > > ;; Query time: 438 msec
> > > ;; SERVER: 2001:503:ba3e::2:30#53(2001:503:ba3e::2:30)
> > > ;; WHEN: Sat Aug 27 09:34:32 EST 2016
> > > ;; MSG SIZE  rcvd: 23
> > > =20
> > > %
> > > =20
> > > Amazon are not alone here (about 20% of servers fail to respond to
> > > EDNS version 1 queries) but they are big player so they should be
> > > doing things correctly.  See
> > > https://ednscomp.isc.org/compliance/alexa-report.html for others
> > > serving the Alexa top 1000 that get things wrong there are a lot
> > > of you out there.  There are also reports for the bottom 1000, .GOV,
> > > .AU and the root zone at https://ednscomp.isc.org along with a
> > > online compliance checker so others can test their servers.  You
> > > just need to name a zone and it will work out the rest or you can
> > > target individual servers even those not listed in the NS RRset.
> > > =20
> > > There is also a whole series of graphs showing failure trends for
> > > different EDNS compliance tests at
> > > https://ednscomp.isc.org/compliance/summary.html
> > > =20
> > > Mark
> > > =20
> > > > On Aug 23, 2016 6:43 PM, "Mark Andrews" <marka () isc org> wrote:
> > > > =20
> > > > > =20
> > > > > I'm curious.  What are you trying to achieve by blocking EDNS =
> version
> > > > > negotiation?  Is it really too hard to return BADVERS to a EDNS
> > > > > query with version !=3D 0 along with the version of EDNS you =
> support
> > > > > in the version field?  Are you deliberately trying to prevent the
> > > > > IETF from deciding to bump the EDNS version in the future?  Do you
> > > > > have firewalls that have this behaviour hard coded?  Do you even
> > > > > test for RFC compliance?
> > > > > =20
> > > > > Mark
> > > > > =20
> > > > > lostoncampus.com.au. @205.251.195.156 (ns-924.awsdns-51.net.): =
> dns=3Dok
> > > > > edns=3Dok edns1=3Dtimeout edns@512=3Dok ednsopt=3Dok =
> edns1opt=3Dtimeout do=3Dok
> > > > > ednsflags=3Dok optlist=3Dok,nsid,subnet signed=3Dok ednstcp=3Dok
> > > > > lostoncampus.com.au. @205.251.192.78 (ns-78.awsdns-09.com.): dns=3Dok=
>
> > > > > edns=3Dok edns1=3Dtimeout edns@512=3Dok ednsopt=3Dok =
> edns1opt=3Dtimeout do=3Dok
> > > > > ednsflags=3Dok optlist=3Dok,nsid,subnet signed=3Dok ednstcp=3Dok
> > > > > lostoncampus.com.au. @205.251.196.198 (ns-1222.awsdns-24.org.): =
> dns=3Dok
> > > > > edns=3Dok edns1=3Dtimeout edns@512=3Dok ednsopt=3Dok =
> edns1opt=3Dtimeout do=3Dok
> > > > > ednsflags=3Dok optlist=3Dok,nsid,subnet signed=3Dok ednstcp=3Dok
> > > > > lostoncampus.com.au. @205.251.199.20 (ns-1812.awsdns-34.co.uk.):
> > > dns=3Dok
> > > > > edns=3Dok edns1=3Dtimeout edns@512=3Dok ednsopt=3Dok =
> edns1opt=3Dtimeout do=3Dok
> > > > > ednsflags=3Dok optlist=3Dok,nsid,subnet signed=3Dok ednstcp=3Dok
> > > > > =20
> > > > > --
> > > > > Mark Andrews, ISC
> > > > > 1 Seymour St., Dundas Valley, NSW 2117, Australia
> > > > > PHONE:  +61 2 9871 4742                         INTERNET:
> > > marka () isc org
> > > > > =20
> > > > =20
> > > --
> > > Mark Andrews, ISC
> > > 1 Seymour St., Dundas Valley, NSW 2117, Australia
> > > PHONE: +61 2 9871 4742                 INTERNET: marka () isc org
> > > =20
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka () isc org