EDNS compliance of servers for the Alexa Top 1M
Mark Andrews
marka at isc.org
Tue May 31 06:56:19 UTC 2016
If you are a Alexa Top 1M entry or host the DNS for a Alexa Top 1M
entry you should be paying attention.
I'm focusing here on unknown EDNS option handling as ISC is about
to release a version of named which will exercise these errors in
your nameservers. BIND 9.11.0 will ship with EDNS COOKIE enabled
by default (RFC 7873) which will appear to be a unknown EDNS option
to servers that do not understand it.
RFC 6891 states that unknown EDNS options should be ignored but that is
not always the case.
These answers are all for servers that nominally support EDNS.
You can test your servers via https://ednscomp.isc.org
Mark
232270 ednsopt=noopt
Servers that only respond with a EDNS response if something
else is in the EDNS query (DO=1, a known EDNS option e.g.
ECS or NSID present).
220083 ednsopt=timeout
The firewall is dropping queries with EDNS options present.
THIS WILL CAUSE INTERMITTENT LOOKUP FAILURES.
This stupidity needs to be fixed along with dropping queries
due to unknown EDNS versions, unknown EDNS/DNS flags and
unknown query types.
64945 ednsopt=formerr,echoed,nosoa
Failed to ignore the EDNS option. This results in EDNS
being disabled for the server and additional queries being
made. If it is serving a signed zone this may result in
PERMANENT lookup failures if all the available servers for
the zone exibit this error.
30917 ednsopt=echoed
This is a benign failure for DNS COOKIES but could result
in errors for other options.
2142 ednsopt=noopt,nosoa
This is similar to ednsopt=noopt but no SOA record was
returned which may result in answers being treated as
NOERROR,NODATA when they shouldn't be.
1490 ednsopt=nosoa
No SOA record was returned which may result in answers being
treated as NOERROR,NODATA when they shouldn't be.
774 ednsopt=badvers,nosoa
BADVERS is supposed to be for EDNS version negotiation.
Named will treat the server as not supporting EDNS. This
results in additional queries being made. If it is serving
a signed zone this may result in PERMANENT lookup failures
if all the available servers for the zone exibit this error.
106 ednsopt=echoed,nosoa
No SOA record was returned which may result in answers being
treated as NOERROR,NODATA when they shouldn't be. The
echoed EDNS option is benign for DNS COOKIES but could
result in errors for other options.
93 ednsopt=servfail,noopt,nosoa
Possible a false positive due to the plain DNS query timing
out or the server returning SERVFAIL. If the later this is
unrecoverable and will result in lookup failures.
69 ednsopt=badversion
Absolutely bizarre response as the EDNS version was non 0.
Probably a proxy which is not EDNS version aware.
68 ednsopt=status,nosoa
Unknown RCODE returned.
54 ednsopt=badversion,echoed
Absolutely bizarre response as the EDNS version was non 0.
Probably a proxy which is not EDNS version aware.
20 ednsopt=refused,nosoa
Possible a false positive due to the plain DNS query timing
out or the server returning REFUSED. If the later this is
unrecoverable and will result in lookup failures.
14 ednsopt=status,noopt,nosoa
Unknown RCODE returned.
14 ednsopt=formerr,nosoa
This is similar to ednsopt=formerr,echoed,nosoa above.
13 ednsopt=nxdomain
Possible a false positive due to the plain DNS query timing
out or the server returning NXDOMAIN. If the later this
is unrecoverable and will result in lookup failures.
9 ednsopt=servfail,nosoa
This is similar to ednsopt=servfail,echoed,nosoa above.
6 ednsopt=formerr,echoed
This is similar to ednsopt=formerr,echoed,nosoa above.
3 ednsopt=nxdomain,echoed,nosoa
2 ednsopt=nxdomain,noopt
1 ednsopt=refused,noopt,nosoa
1 ednsopt=formerr,badversion,echoed,nosoa
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the NANOG
mailing list