Can someone from Amazon please answer.
Mark Andrews
marka at isc.org
Thu Sep 15 00:15:16 UTC 2016
In message <20160823233710.8DC3A5206AD7 at rock.dv.isc.org>, Mark Andrews writes:
>
> I'm curious. What are you trying to achieve by blocking EDNS version
> negotiation? Is it really too hard to return BADVERS to a EDNS
> query with version != 0 along with the version of EDNS you support
> in the version field? Are you deliberately trying to prevent the
> IETF from deciding to bump the EDNS version in the future? Do you
> have firewalls that have this behaviour hard coded? Do you even
> test for RFC compliance?
>
> Mark
>
> lostoncampus.com.au. @205.251.195.156 (ns-924.awsdns-51.net.): dns=ok edns=ok
> edns1=timeout edns at 512=ok ednsopt=ok edns1opt=timeout do=ok ednsflags=ok opt
> list=ok,nsid,subnet signed=ok ednstcp=ok
> lostoncampus.com.au. @205.251.192.78 (ns-78.awsdns-09.com.): dns=ok edns=ok e
> dns1=timeout edns at 512=ok ednsopt=ok edns1opt=timeout do=ok ednsflags=ok optli
> st=ok,nsid,subnet signed=ok ednstcp=ok
> lostoncampus.com.au. @205.251.196.198 (ns-1222.awsdns-24.org.): dns=ok edns=o
> k edns1=timeout edns at 512=ok ednsopt=ok edns1opt=timeout do=ok ednsflags=ok op
> tlist=ok,nsid,subnet signed=ok ednstcp=ok
> lostoncampus.com.au. @205.251.199.20 (ns-1812.awsdns-34.co.uk.): dns=ok edns=
> ok edns1=timeout edns at 512=ok ednsopt=ok edns1opt=timeout do=ok ednsflags=ok o
> ptlist=ok,nsid,subnet signed=ok ednstcp=ok
>
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
Amazon are updating their servers/firewalls so they no longer
timeout. They still need to return a EDNS response but it is a
step in the right direction.
Thanks for improving the situation.
It makes for some dramatic changes in the EDNS(1) and EDNS(1) +
Unknown EDNS option failure mode and response graphs at
https://ednscomp.isc.org/compliance/summary.html
Mark
% dig soa lostoncampus.com.au @205.251.195.156 +edns=1 +noednsneg +norec
; <<>> DiG 9.11.0rc1 <<>> soa lostoncampus.com.au @205.251.195.156 +edns=1 +noednsneg +norec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52640
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 0
;; QUESTION SECTION:
;lostoncampus.com.au. IN SOA
;; ANSWER SECTION:
lostoncampus.com.au. 900 IN SOA ns-1222.awsdns-24.org. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400
;; AUTHORITY SECTION:
lostoncampus.com.au. 172800 IN NS ns-1222.awsdns-24.org.
lostoncampus.com.au. 172800 IN NS ns-1812.awsdns-34.co.uk.
lostoncampus.com.au. 172800 IN NS ns-78.awsdns-09.com.
lostoncampus.com.au. 172800 IN NS ns-924.awsdns-51.net.
;; Query time: 132 msec
;; SERVER: 205.251.195.156#53(205.251.195.156)
;; WHEN: Thu Sep 15 10:09:42 EST 2016
;; MSG SIZE rcvd: 237
%
Checking: 'lostoncampus.com.au' as at 2016-09-15T00:07:37Z
lostoncampus.com.au @205.251.196.198 (ns-1222.awsdns-24.org.): dns=ok edns=ok edns1=status,noopt,soa edns at 512=ok ednsopt=ok edns1opt=status,noopt,soa do=ok ednsflags=ok edns at 512tcp=ok optlist=nsid,subnet
lostoncampus.com.au @205.251.199.20 (ns-1812.awsdns-34.co.uk.): dns=ok edns=ok edns1=status,noopt,soa edns at 512=ok ednsopt=ok edns1opt=status,noopt,soa do=ok ednsflags=ok edns at 512tcp=ok optlist=nsid,subnet
lostoncampus.com.au @205.251.192.78 (ns-78.awsdns-09.com.): dns=ok edns=ok edns1=timeout edns at 512=ok ednsopt=ok edns1opt=timeout do=ok ednsflags=ok edns at 512tcp=ok optlist=nsid,subnet
lostoncampus.com.au @205.251.195.156 (ns-924.awsdns-51.net.): dns=ok edns=ok edns1=status,noopt,soa edns at 512=ok ednsopt=ok edns1opt=status,noopt,soa do=ok ednsflags=ok edns at 512tcp=ok optlist=nsid,subnet
The Following Tests Failed
EDNS - Unknown Version Handling (edns1)
dig +nocookie +norec +noad +edns=1 +noednsneg soa zone @server
expect: BADVERS
expect: OPT record with version set to 0
expect: not to see SOA
See RFC6891, 6.1.3. OPT Record TTL Field Use
EDNS - Unknown Version with Unknown Option Handling (edns1opt)
dig +nocookie +norec +noad +edns=1 +noednsneg +ednsopt=100 soa zone @server
expect: BADVERS
expect: OPT record with version set to 0
expect: not to see SOA
expect: that the option will not be present in response
See RFC6891
Codes
ok - test passed.
nsid - NSID supported.
subnet - EDNS Client Subnet supported.
soa - SOA record found when not expected.
noopt - OPT record not found when expected.
status - expected rcode status code not found.
timeout - lookup timed out.
To retrieve this report in the future: https://ednscomp.isc.org/ednscomp/0e5c781801
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the NANOG
mailing list