In message <[email protected]>, Mark Andrews writes: > > I'm curious. What are you trying to achieve by blocking EDNS version > negotiation? Is it really too hard to return BADVERS to a EDNS > query with version != 0 along with the version of EDNS you support > in the version field? Are you deliberately trying to prevent the > IETF from deciding to bump the EDNS version in the future? Do you > have firewalls that have this behaviour hard coded? Do you even > test for RFC compliance? > > Mark > > lostoncampus.com.au. @205.251.195.156 (ns-924.awsdns-51.net.): dns=ok edns=ok > edns1=timeout edns@512=ok ednsopt=ok edns1opt=timeout do=ok ednsflags=ok opt > list=ok,nsid,subnet signed=ok ednstcp=ok > lostoncampus.com.au. @205.251.192.78 (ns-78.awsdns-09.com.): dns=ok edns=ok e > dns1=timeout edns@512=ok ednsopt=ok edns1opt=timeout do=ok ednsflags=ok optli > st=ok,nsid,subnet signed=ok ednstcp=ok > lostoncampus.com.au. @205.251.196.198 (ns-1222.awsdns-24.org.): dns=ok edns=o > k edns1=timeout edns@512=ok ednsopt=ok edns1opt=timeout do=ok ednsflags=ok op > tlist=ok,nsid,subnet signed=ok ednstcp=ok > lostoncampus.com.au. @205.251.199.20 (ns-1812.awsdns-34.co.uk.): dns=ok edns= > ok edns1=timeout edns@512=ok ednsopt=ok edns1opt=timeout do=ok ednsflags=ok o > ptlist=ok,nsid,subnet signed=ok ednstcp=ok > > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: [email protected]
Amazon are updating their servers/firewalls so they no longer timeout. They still need to return a EDNS response but it is a step in the right direction. Thanks for improving the situation. It makes for some dramatic changes in the EDNS(1) and EDNS(1) + Unknown EDNS option failure mode and response graphs at https://ednscomp.isc.org/compliance/summary.html Mark % dig soa lostoncampus.com.au @205.251.195.156 +edns=1 +noednsneg +norec ; <<>> DiG 9.11.0rc1 <<>> soa lostoncampus.com.au @205.251.195.156 +edns=1 +noednsneg +norec ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52640 ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 0 ;; QUESTION SECTION: ;lostoncampus.com.au. IN SOA ;; ANSWER SECTION: lostoncampus.com.au. 900 IN SOA ns-1222.awsdns-24.org. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400 ;; AUTHORITY SECTION: lostoncampus.com.au. 172800 IN NS ns-1222.awsdns-24.org. lostoncampus.com.au. 172800 IN NS ns-1812.awsdns-34.co.uk. lostoncampus.com.au. 172800 IN NS ns-78.awsdns-09.com. lostoncampus.com.au. 172800 IN NS ns-924.awsdns-51.net. ;; Query time: 132 msec ;; SERVER: 205.251.195.156#53(205.251.195.156) ;; WHEN: Thu Sep 15 10:09:42 EST 2016 ;; MSG SIZE rcvd: 237 % Checking: 'lostoncampus.com.au' as at 2016-09-15T00:07:37Z lostoncampus.com.au @205.251.196.198 (ns-1222.awsdns-24.org.): dns=ok edns=ok edns1=status,noopt,soa edns@512=ok ednsopt=ok edns1opt=status,noopt,soa do=ok ednsflags=ok edns@512tcp=ok optlist=nsid,subnet lostoncampus.com.au @205.251.199.20 (ns-1812.awsdns-34.co.uk.): dns=ok edns=ok edns1=status,noopt,soa edns@512=ok ednsopt=ok edns1opt=status,noopt,soa do=ok ednsflags=ok edns@512tcp=ok optlist=nsid,subnet lostoncampus.com.au @205.251.192.78 (ns-78.awsdns-09.com.): dns=ok edns=ok edns1=timeout edns@512=ok ednsopt=ok edns1opt=timeout do=ok ednsflags=ok edns@512tcp=ok optlist=nsid,subnet lostoncampus.com.au @205.251.195.156 (ns-924.awsdns-51.net.): dns=ok edns=ok edns1=status,noopt,soa edns@512=ok ednsopt=ok edns1opt=status,noopt,soa do=ok ednsflags=ok edns@512tcp=ok optlist=nsid,subnet The Following Tests Failed EDNS - Unknown Version Handling (edns1) dig +nocookie +norec +noad +edns=1 +noednsneg soa zone @server expect: BADVERS expect: OPT record with version set to 0 expect: not to see SOA See RFC6891, 6.1.3. OPT Record TTL Field Use EDNS - Unknown Version with Unknown Option Handling (edns1opt) dig +nocookie +norec +noad +edns=1 +noednsneg +ednsopt=100 soa zone @server expect: BADVERS expect: OPT record with version set to 0 expect: not to see SOA expect: that the option will not be present in response See RFC6891 Codes ok - test passed. nsid - NSID supported. subnet - EDNS Client Subnet supported. soa - SOA record found when not expected. noopt - OPT record not found when expected. status - expected rcode status code not found. timeout - lookup timed out. To retrieve this report in the future: https://ednscomp.isc.org/ednscomp/0e5c781801 -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected]
