QWEST.NET can you fix your nameservers

Mark Andrews marka at isc.org
Thu Sep 15 07:31:34 UTC 2016


In case anyone is wondering why I've been harping on about EDNS
compliance this is why.  Failure to follow the protocol can result
in DNS lookup failures.  nara.gov is signed and the recursive server
performs DNSSEC validation and sends queries with DNS COOKIEs.

BADVERS is NOT a valid response to a EDNS version 0 query.

Can you please contact your DNS vendor for a fix.

QWEST isn't the only DNS provider that has broken nameservers.  One
shouldn't have to try and contact every DNS operator to get them to
use protocol compliant servers.

Mark

;; BADCOOKIE, retrying.

; <<>> DiG 9.11.0rc1 <<>> nara.gov
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 5744
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 85faf1e39a1a6a149bebd00a57da4b266b8546c1b75015db (good)
;; QUESTION SECTION:
;nara.gov.			IN	A

;; Query time: 5000 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Sep 15 17:17:58 EST 2016
;; MSG SIZE  rcvd: 65



Checking: 'nara.gov' as at 2016-09-15T07:16:32Z

nara.gov @63.150.72.5 (sauthns1.qwest.net.): dns=ok edns=ok edns1=ok edns at 512=ok ednsopt=badvers,nosoa edns1opt=ok do=nodo ednsflags=ok edns at 512tcp=ok optlist=badvers,nosoa
nara.gov @2001:428::7 (sauthns1.qwest.net.): dns=ok edns=ok edns1=ok edns at 512=ok ednsopt=badvers,nosoa edns1opt=ok do=nodo ednsflags=ok edns at 512tcp=ok optlist=badvers,nosoa
nara.gov @208.44.130.121 (sauthns2.qwest.net.): dns=ok edns=ok edns1=ok edns at 512=ok ednsopt=badvers,nosoa edns1opt=ok do=nodo ednsflags=ok edns at 512tcp=ok optlist=badvers,nosoa
nara.gov @2001:428::8 (sauthns2.qwest.net.): dns=ok edns=ok edns1=ok edns at 512=ok ednsopt=badvers,nosoa edns1opt=ok do=nodo ednsflags=ok edns at 512tcp=ok optlist=badvers,nosoa
The Following Tests Failed

EDNS - Unknown Option Handling (ednsopt)

dig +nocookie +norec +noad +ednsopt=100 soa zone @server
expect: SOA
expect: NOERROR
expect: OPT record with version set to 0
expect: that the option will not be present in response
See RFC6891, 6.1.2 Wire Format

EDNS - DO=1 (do)

dig +nocookie +norec +noad +dnssec soa zone @server
expect: SOA
expect: NOERROR
expect: OPT record with version set to 0
expect: DO flag in response if RRSIG is present in response
See RFC3225

EDNS - Supported Options Probe (optlist)

dig +edns +noad +norec +nsid +subnet=0.0.0.0/0 +expire +cookie -q zone @server
expect: NOERROR
expect: OPT record with version set to 0
See RFC6891

Codes

ok - test passed.
nodo - EDNS DO flag not echoed.
nosoa - SOA record not found when expected.
badvers - BADVERS returned.
To retrieve this report in the future: https://ednscomp.isc.org/ednscomp/25f2ebe619


-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE:	+61 2 9871 4742		         INTERNET: marka at isc.org



More information about the NANOG mailing list