QWEST.NET can you fix your nameservers
Mark Andrews
marka at isc.org
Thu Sep 15 07:31:34 UTC 2016
In case anyone is wondering why I've been harping on about EDNS
compliance this is why. Failure to follow the protocol can result
in DNS lookup failures. nara.gov is signed and the recursive server
performs DNSSEC validation and sends queries with DNS COOKIEs.
BADVERS is NOT a valid response to a EDNS version 0 query.
Can you please contact your DNS vendor for a fix.
QWEST isn't the only DNS provider that has broken nameservers. One
shouldn't have to try and contact every DNS operator to get them to
use protocol compliant servers.
Mark
;; BADCOOKIE, retrying.
; <<>> DiG 9.11.0rc1 <<>> nara.gov
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 5744
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 85faf1e39a1a6a149bebd00a57da4b266b8546c1b75015db (good)
;; QUESTION SECTION:
;nara.gov. IN A
;; Query time: 5000 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Sep 15 17:17:58 EST 2016
;; MSG SIZE rcvd: 65
Checking: 'nara.gov' as at 2016-09-15T07:16:32Z
nara.gov @63.150.72.5 (sauthns1.qwest.net.): dns=ok edns=ok edns1=ok edns at 512=ok ednsopt=badvers,nosoa edns1opt=ok do=nodo ednsflags=ok edns at 512tcp=ok optlist=badvers,nosoa
nara.gov @2001:428::7 (sauthns1.qwest.net.): dns=ok edns=ok edns1=ok edns at 512=ok ednsopt=badvers,nosoa edns1opt=ok do=nodo ednsflags=ok edns at 512tcp=ok optlist=badvers,nosoa
nara.gov @208.44.130.121 (sauthns2.qwest.net.): dns=ok edns=ok edns1=ok edns at 512=ok ednsopt=badvers,nosoa edns1opt=ok do=nodo ednsflags=ok edns at 512tcp=ok optlist=badvers,nosoa
nara.gov @2001:428::8 (sauthns2.qwest.net.): dns=ok edns=ok edns1=ok edns at 512=ok ednsopt=badvers,nosoa edns1opt=ok do=nodo ednsflags=ok edns at 512tcp=ok optlist=badvers,nosoa
The Following Tests Failed
EDNS - Unknown Option Handling (ednsopt)
dig +nocookie +norec +noad +ednsopt=100 soa zone @server
expect: SOA
expect: NOERROR
expect: OPT record with version set to 0
expect: that the option will not be present in response
See RFC6891, 6.1.2 Wire Format
EDNS - DO=1 (do)
dig +nocookie +norec +noad +dnssec soa zone @server
expect: SOA
expect: NOERROR
expect: OPT record with version set to 0
expect: DO flag in response if RRSIG is present in response
See RFC3225
EDNS - Supported Options Probe (optlist)
dig +edns +noad +norec +nsid +subnet=0.0.0.0/0 +expire +cookie -q zone @server
expect: NOERROR
expect: OPT record with version set to 0
See RFC6891
Codes
ok - test passed.
nodo - EDNS DO flag not echoed.
nosoa - SOA record not found when expected.
badvers - BADVERS returned.
To retrieve this report in the future: https://ednscomp.isc.org/ednscomp/25f2ebe619
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the NANOG
mailing list