Yes please. > On 13 Sep 2018, at 2:45 am, Anne P. Mitchell, Esq. <[email protected]> > wrote: > > > Would you like us to send this to our Qwest/CenturyLink contact? > > Anne P. Mitchell, > Attorney at Law > GDPR, CCPA (CA) & CCDPA (CO) Compliance Consultant > Author: Section 6 of the CAN-SPAM Act of 2003 (the Federal anti-spam law) > Legislative Consultant > CEO/President, Institute for Social Internet Public Policy > Legal Counsel: The CyberGreen Institute > Legal Counsel: The Earth Law Center > Member, California Bar Association > Member, Cal. Bar Cyberspace Law Committee > Member, Colorado Cyber Committee > Member, Board of Directors, Asilomar Microcomputer Workshop > Ret. Professor of Law, Lincoln Law School of San Jose > Ret. Chair, Asilomar Microcomputer Workshop > > > >> >> I know it takes some time to upgrade DNS servers to ones that are actually >> protocol compliant but 4+ years is ridiculous. Your servers are the only >> ones serving the Alexa top 1M sites or the GOV zone that still return BADVERS >> to EDNS queries with a EDNS option present. This was behaviour made up by >> your DNS vendor. The correct response to EDNS options that are not >> understood >> is to IGNORE them. This allows clients and servers to deploy support for >> new options independently of each other. >> >> Additionally this is breaking DNSSEC validation of the signed zones your >> clients >> have you serving. They expect you to be using EDNS compliant name servers >> for >> this role which you are not. No, we are not working around this breakage in >> the >> resolver. >> >> Mark >> >> % dig soa frc.gov. @208.44.130.121 +norec >> >> ; <<>> DiG 9.12.1 <<>> soa frc.gov. @208.44.130.121 +norec >> ;; global options: +cmd >> ;; Got answer: >> ;; ->>HEADER<<- opcode: QUERY, status: BADVERS, id: 59707 >> ;; flags: qr ad; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 >> >> ;; OPT PSEUDOSECTION: >> ; EDNS: version: 0, flags:; udp: 4096 >> ;; Query time: 66 msec >> ;; SERVER: 208.44.130.121#53(208.44.130.121) >> ;; WHEN: Tue Sep 11 06:08:41 UTC 2018 >> ;; MSG SIZE rcvd: 23 >> >> % dig soa frc.gov. @208.44.130.121 +norec +nocookie >> >> ; <<>> DiG 9.12.1 <<>> soa frc.gov. @208.44.130.121 +norec +nocookie >> ;; global options: +cmd >> ;; Got answer: >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16876 >> ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1 >> >> ;; OPT PSEUDOSECTION: >> ; EDNS: version: 0, flags:; udp: 4096 >> ;; QUESTION SECTION: >> ;frc.gov. IN SOA >> >> ;; ANSWER SECTION: >> frc.gov. 86400 IN SOA sauthns2.qwest.net. >> dns-admin.qwestip.net. 2180320527 10800 3600 604800 86400 >> >> ;; AUTHORITY SECTION: >> frc.gov. 86400 IN NS sauthns1.qwest.net. >> frc.gov. 86400 IN NS sauthns2.qwest.net. >> >> ;; Query time: 66 msec >> ;; SERVER: 208.44.130.121#53(208.44.130.121) >> ;; WHEN: Tue Sep 11 06:19:33 UTC 2018 >> ;; MSG SIZE rcvd: 145 >> >> % grep ednsopt=badvers reports/alexa1m.2018-08-26T00:00:06Z | grep edns=ok | >> awk '{print $3}' | sort -u >> (sauthns1.qwest.net.): >> (sauthns2.qwest.net.): >> % grep ednsopt=badvers reports-full/gov-full.2018-09-11T00:00:06Z | grep >> edns=ok | awk '{print $3}' | sort -u >> (sauthns1.qwest.net.): >> (sauthns2.qwest.net.): >> % >> >> -- >> Mark Andrews, ISC >> 1 Seymour St., Dundas Valley, NSW 2117, Australia >> PHONE: +61 2 9871 4742 INTERNET: [email protected] >> > >
-- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected]
