In message <d15e7bb0.b14f%edward.le...@icann.org>, Edward Lewis writes: > > On 4/23/15, 2:45, "Micha=C5=82 K=C4=99pie=C5=84" <michal.kep...@nask.pl> > wrote: > > >> Yes, its due to bug: > >>=20 > >> =E2=80=A2 Fix RCODE when secondary NSD got transfer that includes > >> deleted > >>wildcard record. After deletion, NSD would serve NODATA, should be > >>NXDOMAIN (thanks Michal Kepien). > > > >This is fun - I never expected this bug to be publicly noticed for a > >TLD. > > Bugs happen. In past work I've done, I've seen some very detailed ones > that even the TLD operator wasn't aware was happening. (Even "big time" > operators, in the class of I could call one of their engineers and they > got it right away.) By bugs, I include unexpected yet sometimes still > very protocol-valid results. > > This is an artifact of using off-the-shelf components (open source or not) > which have so many features/etc. that testing every nook-and-cranny is > impractical. (Risk management ... don't waste resources testing things > that won't matter.) The issue seen on this thread shows code diversity > (and why some want it), so good.
Then some resolver uses a feature of the protocol and things go to hell is a handbasket real fast. http://users.isc.org/~marka/summary.html show the results of not testing "unused" features of the protocol. Some of these "unused" features are now "in use" [1] and lookups are FAILING because vendors failed to test before shipping. EVERYONE on this list should test their nameservers for compliance and fix the broken ones. If your are a vendor of a broken server please isssue a CVE for the broken versions as they can cause a denial of service. This will "allow" OS vendors to install fixes. TLD operators I encourage you to audit all the delegated servers for EDNS compliance in the handling of unknown EDNS options, unknown EDNS version and unknown EDNS flags and then to inform the owners of the servers that they need to fix them. If a TLD/SLD operator wants a copy of the scripts used to generate these graphs let me know. They will require tweaking. [1] https://lists.isc.org/pipermail/bind-users/2015-April/095018.html. Mark > When bugs pop up I usually contact the operator off-list partly to confirm > that it is a bug and sometimes learn the make and model of what they are > running. Usually the operator takes care of contacting the tool maker, if > not, I do. Usually we work that out based on convenience. > > Mind you - I not all bugs are "serious" as in operations impacting. In > this case, the name in question doesn't 'exist' so any access to it > (WWW/SSH/FTP) is doomed anyway. Whether it's NXDOMAIN or NODATA, there's > no AAAA or A record to be had. Yes, you'll trip up DNSVIZ and get your > name in the permanent record. > -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
