Can someone from Amazon please answer.

• Previous message (by thread): Can someone from Amazon please answer.
• Next message (by thread): Can someone from Amazon please answer.
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

In message <A7ED985B-B1B4-48C6-93B8-2CC969935D34 at puck.nether.net>, Jared Mauch writes:
> My personal favorite broken domain is New York State Thruway folks.
> 
> https://ednscomp.isc.org/ednscomp/cb652bc112
> 
> If you ask for AAAA of www.thruway.ny.gov it is a CNAME to =
> www.wip.thruway.ny.gov and that
> breaks a number of DNS servers and load balancers, eg:
> 
> $ host -t aaaa www.wip.thruway.ny.gov
> ;; reply from unexpected source: 2001:558:100e:4:69:252:66:215#53, =
> expected 2001:558:feed::1#53
> ;; reply from unexpected source: 2001:558:100e:4:69:252:66:215#53, =
> expected 2001:558:feed::1#53
> 
> Waiting for the timeouts to occur or trying to get a robust response via =
> TCP is problematic at best.
> 
> DNS works really well despite much of the damage from firewall vendors =
> and ill informed consultants.
> 
> - Jared

Your tax payer dollars at work.  It you are a resident of NY state
go complain to your state representatives.  Which bureaucrat signed
off on the purchase of this piece of garbage.  Load balancers need
to answer all query types.

% dig www.wip.thruway.ny.gov @lc1.thruway.ny.gov

; <<>> DiG 9.11.0rc1 <<>> www.wip.thruway.ny.gov @lc1.thruway.ny.gov
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59670
;; flags: qr aa rd ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;www.wip.thruway.ny.gov.		IN	A

;; ANSWER SECTION:
www.wip.thruway.ny.gov.	30	IN	A	66.192.38.208

;; Query time: 394 msec
;; SERVER: 161.11.122.60#53(161.11.122.60)
;; WHEN: Sat Aug 27 12:28:56 EST 2016
;; MSG SIZE  rcvd: 56

% dig www.wip.thruway.ny.gov @lc1.thruway.ny.gov aaaa

; <<>> DiG 9.11.0rc1 <<>> www.wip.thruway.ny.gov @lc1.thruway.ny.gov aaaa
;; global options: +cmd
;; connection timed out; no servers could be reached
% 

> 
> > On Aug 26, 2016, at 7:54 PM, Josh Reynolds <josh at kyneticwifi.com> =
> wrote:
> >=20
> > Excellent info, thank you Mark.
> >=20
> > On Aug 26, 2016 6:53 PM, "Mark Andrews" <marka at isc.org> wrote:
> >=20
> >>=20
> >> In message <CAC6=3DtfYnPX2pGCNNjaeV+yVENypMFqf02JmD58fgJExQfZku_Q@
> >> mail.gmail.com>, Josh Reynolds writes:
> >>>=20
> >>> Just looking at the RFC...
> >>> -----
> >>> VERSION Indicates the implementation level of the setter. Full
> >> conformance
> >>> with this specification is indicated by version '0'. Requestors are
> >>> encouraged to set this to the lowest implemented level capable of
> >>> expressing a transaction, to minimise the responder and network load =
> of
> >>> discovering the greatest common implementation level between =
> requestor
> >> and
> >>> responder. A requestor's version numbering strategy MAY ideally be a
> >>> run-time configuration option. If a responder does not implement the
> >>> VERSION level of the request, then it MUST respond with =
> RCODE=3DBADVERS.
> >> All
> >>> responses MUST be limited in format to the VERSION level of the =
> request,
> >>> but the VERSION of each response SHOULD be the highest =
> implementation
> >> level
> >>> of the responder. In this way, a requestor will learn the =
> implementation
> >>> level of a responder as a side effect of every response, including =
> error
> >>> responses and including RCODE=3DBADVERS.
> >>> -----
> >>> What am I missing, based on your output?
> >>=20
> >> The servers do not RESPOND to EDNS version !=3D 0 queries.  The =
> following
> >> sends a EDNS version 1 query and tells dig not to complete the EDNS =
> version
> >> negotiation so you can see the BADVERS response.
> >>=20
> >> % dig lostoncampus.com.au. @205.251.195.156 +edns=3D1 +noednsneg soa
> >>=20
> >> ; <<>> DiG 9.11.0rc1 <<>> lostoncampus.com.au. @205.251.195.156 =
> +edns=3D1
> >> +noednsneg soa
> >> ;; global options: +cmd
> >> ;; connection timed out; no servers could be reached
> >> %
> >>=20
> >> A EDNS version 0 query to show reachability and that EDNS is =
> supported.
> >>=20
> >> % dig lostoncampus.com.au. @205.251.195.156 +edns=3D0 +noednsneg soa
> >>=20
> >> ; <<>> DiG 9.11.0rc1 <<>> lostoncampus.com.au. @205.251.195.156 =
> +edns=3D0
> >> +noednsneg soa
> >> ;; global options: +cmd
> >> ;; Got answer:
> >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63224
> >> ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 1
> >> ;; WARNING: recursion requested but not available
> >>=20
> >> ;; OPT PSEUDOSECTION:
> >> ; EDNS: version: 0, flags:; udp: 4096
> >> ;; QUESTION SECTION:
> >> ;lostoncampus.com.au.           IN      SOA
> >>=20
> >> ;; ANSWER SECTION:
> >> lostoncampus.com.au.    900     IN      SOA     =
> ns-1222.awsdns-24.org.
> >> awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400
> >>=20
> >> ;; AUTHORITY SECTION:
> >> lostoncampus.com.au.    172800  IN      NS      =
> ns-1222.awsdns-24.org.
> >> lostoncampus.com.au.    172800  IN      NS      =
> ns-1812.awsdns-34.co.uk.
> >> lostoncampus.com.au.    172800  IN      NS      ns-78.awsdns-09.com.
> >> lostoncampus.com.au.    172800  IN      NS      ns-924.awsdns-51.net.
> >>=20
> >> ;; Query time: 126 msec
> >> ;; SERVER: 205.251.195.156#53(205.251.195.156)
> >> ;; WHEN: Sat Aug 27 09:40:29 EST 2016
> >> ;; MSG SIZE  rcvd: 248
> >>=20
> >> %
> >>=20
> >> What you should see is something like the following.  Note the
> >> version field is zero (0) and the rcode (status) field is BADVERS.
> >> This response does show a protocol error: AD should not be set in
> >> this response as there is no authenticated data.
> >>=20
> >> % dig . @a.root-servers.net +edns=3D1 +noednsneg soa
> >>=20
> >> ; <<>> DiG 9.11.0rc1 <<>> . @a.root-servers.net +edns=3D1 +noednsneg =
> soa
> >> ;; global options: +cmd
> >> ;; Got answer:
> >> ;; ->>HEADER<<- opcode: QUERY, status: BADVERS, id: 22570
> >> ;; flags: qr rd ad; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
> >> ;; WARNING: recursion requested but not available
> >>=20
> >> ;; OPT PSEUDOSECTION:
> >> ; EDNS: version: 0, flags:; udp: 1232
> >> ;; Query time: 438 msec
> >> ;; SERVER: 2001:503:ba3e::2:30#53(2001:503:ba3e::2:30)
> >> ;; WHEN: Sat Aug 27 09:34:32 EST 2016
> >> ;; MSG SIZE  rcvd: 23
> >>=20
> >> %
> >>=20
> >> Amazon are not alone here (about 20% of servers fail to respond to
> >> EDNS version 1 queries) but they are big player so they should be
> >> doing things correctly.  See
> >> https://ednscomp.isc.org/compliance/alexa-report.html for others
> >> serving the Alexa top 1000 that get things wrong there are a lot
> >> of you out there.  There are also reports for the bottom 1000, .GOV,
> >> .AU and the root zone at https://ednscomp.isc.org along with a
> >> online compliance checker so others can test their servers.  You
> >> just need to name a zone and it will work out the rest or you can
> >> target individual servers even those not listed in the NS RRset.
> >>=20
> >> There is also a whole series of graphs showing failure trends for
> >> different EDNS compliance tests at
> >> https://ednscomp.isc.org/compliance/summary.html
> >>=20
> >> Mark
> >>=20
> >>> On Aug 23, 2016 6:43 PM, "Mark Andrews" <marka at isc.org> wrote:
> >>>=20
> >>>>=20
> >>>> I'm curious.  What are you trying to achieve by blocking EDNS =
> version
> >>>> negotiation?  Is it really too hard to return BADVERS to a EDNS
> >>>> query with version !=3D 0 along with the version of EDNS you =
> support
> >>>> in the version field?  Are you deliberately trying to prevent the
> >>>> IETF from deciding to bump the EDNS version in the future?  Do you
> >>>> have firewalls that have this behaviour hard coded?  Do you even
> >>>> test for RFC compliance?
> >>>>=20
> >>>> Mark
> >>>>=20
> >>>> lostoncampus.com.au. @205.251.195.156 (ns-924.awsdns-51.net.): =
> dns=3Dok
> >>>> edns=3Dok edns1=3Dtimeout edns at 512=3Dok ednsopt=3Dok =
> edns1opt=3Dtimeout do=3Dok
> >>>> ednsflags=3Dok optlist=3Dok,nsid,subnet signed=3Dok ednstcp=3Dok
> >>>> lostoncampus.com.au. @205.251.192.78 (ns-78.awsdns-09.com.): dns=3Dok=
> 
> >>>> edns=3Dok edns1=3Dtimeout edns at 512=3Dok ednsopt=3Dok =
> edns1opt=3Dtimeout do=3Dok
> >>>> ednsflags=3Dok optlist=3Dok,nsid,subnet signed=3Dok ednstcp=3Dok
> >>>> lostoncampus.com.au. @205.251.196.198 (ns-1222.awsdns-24.org.): =
> dns=3Dok
> >>>> edns=3Dok edns1=3Dtimeout edns at 512=3Dok ednsopt=3Dok =
> edns1opt=3Dtimeout do=3Dok
> >>>> ednsflags=3Dok optlist=3Dok,nsid,subnet signed=3Dok ednstcp=3Dok
> >>>> lostoncampus.com.au. @205.251.199.20 (ns-1812.awsdns-34.co.uk.):
> >> dns=3Dok
> >>>> edns=3Dok edns1=3Dtimeout edns at 512=3Dok ednsopt=3Dok =
> edns1opt=3Dtimeout do=3Dok
> >>>> ednsflags=3Dok optlist=3Dok,nsid,subnet signed=3Dok ednstcp=3Dok
> >>>>=20
> >>>> --
> >>>> Mark Andrews, ISC
> >>>> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> >>>> PHONE:  +61 2 9871 4742                         INTERNET:
> >> marka at isc.org
> >>>>=20
> >>>=20
> >> --
> >> Mark Andrews, ISC
> >> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> >> PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org
> >>=20
> 
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

• Previous message (by thread): Can someone from Amazon please answer.
• Next message (by thread): Can someone from Amazon please answer.
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]