We are looking to deploy DNS Cookies or SIT soon and the handling
of unknown EDNS options is atrocious.
http://users.isc.org/~marka/ts/gov.optfail.html
Unknown EDNS options are supposed to be ignored. See RFC6891, 6.1.2
Wire Format.
They should not generate FORMERR.
They should not generate BADVERS.
They should not be echoed back.
They should be responded to.
We are seeing all of the above mis-behaviours when testing.
FORMERR often results in responses that are indistigishable from not
supporting EDNS at all. See ednsopt and edns1opt.
leighton.com.au. @202.93.248.33 (ns2.infoplex.com.au.): dns=ok
edns=formerr,nosoa edns1=formerr,version edns@512=formerr
ednsopt=formerr,echoed,nosoa edns1opt=formerr,version,echoed do=formerr,nosoa
ednsflags=formerr,mbz,nosoa
suncorpbank.com.au. @203.0.222.71 (pbnedns2002.suncorpmetway.com.au.): dns=ok
edns=ok edns1=ok edns@512=ok ednsopt=formerr,echoed,nosoa
edns1opt=formerr,version,echoed do=ok ednsflags=ok
version = no opt record or wrong version in response
echoed = the option was echoed back
If you are a vendor and you nominally support EDNS can you please
check your software to ensure that it correctly handles unknown
EDNS options.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
_______________________________________________
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
