DNS Services for a registrar

Wed Nov 2 05:44:22 UTC 2016

Route 53 have IPv6 now handled out of the .co.uk zones though they
still don't do EDNS.  Azure also mishandles EDNS.

Route 53 returns plain DNS responses when presented with a EDNS(1)
query.  This breaks validating EDNS(1) clients getting answers from
a signed zone.

Azure echoes back unknown EDNS options and returns NOERROR NODATA
to EDNS(1) queries.  This breaks EDNS(1) clients regardless of
whether the data is coming from a signed zone or not.  It also
potentially breaks any client using a EDNS options regardless of
the version of EDNS they have in the query.  It is server misbehaviour
like this that requires clients to whitelist ECS servers.  If a DNS
COOKIE client is picky it will also break them.

EDNS(0) specified how to handle EDNS(1) queries when you only support
EDNS(0) back in 1999.  It isn't hard to get it right.  It also isn't
hard to test.

Mark

harveynorman.com.au. @64.4.48.5 (ns2-05.azure-dns.net.): dns=ok edns=ok edns1=status edns at 512=ok ednsopt=echoed edns1opt=status do=ok ednsflags=ok optlist=ok,subnet signed=ok ednstcp=ok
harveynorman.com.au. @13.107.24.5 (ns3-05.azure-dns.org.): dns=ok edns=ok edns1=status edns at 512=ok ednsopt=echoed edns1opt=status do=ok ednsflags=ok optlist=ok,subnet signed=ok ednstcp=ok
harveynorman.com.au. @40.90.4.5 (ns1-05.azure-dns.com.): dns=ok edns=ok edns1=status edns at 512=ok ednsopt=echoed edns1opt=status do=ok ednsflags=ok optlist=ok,subnet signed=ok ednstcp=ok
harveynorman.com.au. @13.107.160.5 (ns4-05.azure-dns.info.): dns=ok edns=ok edns1=status edns at 512=ok ednsopt=ok edns1opt=status do=ok ednsflags=ok optlist=ok,subnet signed=ok ednstcp=ok

energeticsinstitute.com.au. @205.251.195.234 (ns-1002.awsdns-61.net.): dns=ok edns=ok edns1=status,noopt,soa edns at 512=ok ednsopt=ok edns1opt=status,noopt,soa do=ok ednsflags=ok optlist=ok,nsid,subnet signed=ok ednstcp=ok
energeticsinstitute.com.au. @205.251.197.70 (ns-1350.awsdns-40.org.): dns=ok edns=ok edns1=status,noopt,soa edns at 512=ok ednsopt=ok edns1opt=status,noopt,soa do=ok ednsflags=ok optlist=ok,nsid,subnet signed=ok ednstcp=ok
energeticsinstitute.com.au. @205.251.192.97 (ns-97.awsdns-12.com.): dns=ok edns=ok edns1=status,noopt,soa edns at 512=ok ednsopt=ok edns1opt=status,noopt,soa do=ok ednsflags=ok optlist=ok,nsid,subnet signed=ok ednstcp=ok
energeticsinstitute.com.au. @205.251.198.160 (ns-1696.awsdns-20.co.uk.): dns=ok edns=ok edns1=status,noopt,soa edns at 512=ok ednsopt=ok edns1opt=status,noopt,soa do=ok ednsflags=ok optlist=ok,nsid,subnet signed=ok ednstcp=ok
energeticsinstitute.com.au. @2600:9000:5306:a000::1 (ns-1696.awsdns-20.co.uk.): dns=ok edns=ok edns1=status,noopt,soa edns at 512=ok ednsopt=ok edns1opt=status,noopt,soa do=ok ednsflags=ok optlist=ok,nsid,subnet signed=ok ednstcp=ok

Mark

In message <BLUPR05MB595CEB3D1F875F1D20D7889B4A00 at BLUPR05MB595.namprd05.prod.ou
tlook.com>, Ryan Finnesey writes:
> Thanks everyone for their response.  We are going to use the Azure Zone
> Service.
>
> Cheers
> Ryan
>
>
> From: Matthieu Michaud mailto:matthieu at nxdomain.fr
> Sent: Friday, August 12, 2016 1:34 PM
> To: Ryan Finnesey <ryan at finnesey.com>
> Cc: nanog at nanog.org
> Subject: Re: DNS Services for a registrar
>
> Hi,
>
> I have been very happy with route53 while lack of IPv6 support was not an
> issue for the use case.
>
> Did you evaluate CloudFlare in PaaS solution ?
> Their free plan includes DNS.
>
> Best regards,
>
>
> On Fri, Aug 12, 2016 at 7:56 AM, Ryan Finnesey
> <ryan at finnesey.com<mailto:ryan at finnesey.com>> wrote:
> We need to provide DNS services for domains we offer as a registrar.  We
> were discussing internally the different options for the deployment.
> Does anyone see a down side to using IaaS on AWS and Azure?
>
> We were also kicking around the idea of a PaaS offering and using Azure
> DNS or AWS Route 53.
>
> Cheers
> Ryan
>
>
>
> --
> Matthieu MICHAUD

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org