Can someone from Amazon please answer.

• Previous message (by thread): PCH peering survey 2016
• Next message (by thread): QWEST.NET can you fix your nameservers
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

In message <20160823233710.8DC3A5206AD7 at rock.dv.isc.org>, Mark Andrews writes:
> 
> I'm curious.  What are you trying to achieve by blocking EDNS version
> negotiation?  Is it really too hard to return BADVERS to a EDNS
> query with version != 0 along with the version of EDNS you support
> in the version field?  Are you deliberately trying to prevent the
> IETF from deciding to bump the EDNS version in the future?  Do you
> have firewalls that have this behaviour hard coded?  Do you even
> test for RFC compliance?
> 
> Mark
> 
> lostoncampus.com.au. @205.251.195.156 (ns-924.awsdns-51.net.): dns=ok edns=ok
>  edns1=timeout edns at 512=ok ednsopt=ok edns1opt=timeout do=ok ednsflags=ok opt
> list=ok,nsid,subnet signed=ok ednstcp=ok
> lostoncampus.com.au. @205.251.192.78 (ns-78.awsdns-09.com.): dns=ok edns=ok e
> dns1=timeout edns at 512=ok ednsopt=ok edns1opt=timeout do=ok ednsflags=ok optli
> st=ok,nsid,subnet signed=ok ednstcp=ok
> lostoncampus.com.au. @205.251.196.198 (ns-1222.awsdns-24.org.): dns=ok edns=o
> k edns1=timeout edns at 512=ok ednsopt=ok edns1opt=timeout do=ok ednsflags=ok op
> tlist=ok,nsid,subnet signed=ok ednstcp=ok
> lostoncampus.com.au. @205.251.199.20 (ns-1812.awsdns-34.co.uk.): dns=ok edns=
> ok edns1=timeout edns at 512=ok ednsopt=ok edns1opt=timeout do=ok ednsflags=ok o
> ptlist=ok,nsid,subnet signed=ok ednstcp=ok
> 
> -- 
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE:	+61 2 9871 4742		         INTERNET: marka at isc.org

Amazon are updating their servers/firewalls so they no longer
timeout.  They still need to return a EDNS response but it is a
step in the right direction.

Thanks for improving the situation.

It makes for some dramatic changes in the EDNS(1) and EDNS(1) +
Unknown EDNS option failure mode and response graphs at
https://ednscomp.isc.org/compliance/summary.html


Mark

% dig soa lostoncampus.com.au @205.251.195.156 +edns=1 +noednsneg +norec

; <<>> DiG 9.11.0rc1 <<>> soa lostoncampus.com.au @205.251.195.156 +edns=1 +noednsneg +norec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52640
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 0

;; QUESTION SECTION:
;lostoncampus.com.au.		IN	SOA

;; ANSWER SECTION:
lostoncampus.com.au.	900	IN	SOA	ns-1222.awsdns-24.org. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400

;; AUTHORITY SECTION:
lostoncampus.com.au.	172800	IN	NS	ns-1222.awsdns-24.org.
lostoncampus.com.au.	172800	IN	NS	ns-1812.awsdns-34.co.uk.
lostoncampus.com.au.	172800	IN	NS	ns-78.awsdns-09.com.
lostoncampus.com.au.	172800	IN	NS	ns-924.awsdns-51.net.

;; Query time: 132 msec
;; SERVER: 205.251.195.156#53(205.251.195.156)
;; WHEN: Thu Sep 15 10:09:42 EST 2016
;; MSG SIZE  rcvd: 237

% 

Checking: 'lostoncampus.com.au' as at 2016-09-15T00:07:37Z

lostoncampus.com.au @205.251.196.198 (ns-1222.awsdns-24.org.): dns=ok edns=ok edns1=status,noopt,soa edns at 512=ok ednsopt=ok edns1opt=status,noopt,soa do=ok ednsflags=ok edns at 512tcp=ok optlist=nsid,subnet
lostoncampus.com.au @205.251.199.20 (ns-1812.awsdns-34.co.uk.): dns=ok edns=ok edns1=status,noopt,soa edns at 512=ok ednsopt=ok edns1opt=status,noopt,soa do=ok ednsflags=ok edns at 512tcp=ok optlist=nsid,subnet
lostoncampus.com.au @205.251.192.78 (ns-78.awsdns-09.com.): dns=ok edns=ok edns1=timeout edns at 512=ok ednsopt=ok edns1opt=timeout do=ok ednsflags=ok edns at 512tcp=ok optlist=nsid,subnet
lostoncampus.com.au @205.251.195.156 (ns-924.awsdns-51.net.): dns=ok edns=ok edns1=status,noopt,soa edns at 512=ok ednsopt=ok edns1opt=status,noopt,soa do=ok ednsflags=ok edns at 512tcp=ok optlist=nsid,subnet
The Following Tests Failed

EDNS - Unknown Version Handling (edns1)

dig +nocookie +norec +noad +edns=1 +noednsneg soa zone @server
expect: BADVERS
expect: OPT record with version set to 0
expect: not to see SOA
See RFC6891, 6.1.3. OPT Record TTL Field Use

EDNS - Unknown Version with Unknown Option Handling (edns1opt)

dig +nocookie +norec +noad +edns=1 +noednsneg +ednsopt=100 soa zone @server
expect: BADVERS
expect: OPT record with version set to 0
expect: not to see SOA
expect: that the option will not be present in response
See RFC6891

Codes

ok - test passed.
nsid - NSID supported.
subnet - EDNS Client Subnet supported.
soa - SOA record found when not expected.
noopt - OPT record not found when expected.
status - expected rcode status code not found.
timeout - lookup timed out.
To retrieve this report in the future: https://ednscomp.isc.org/ednscomp/0e5c781801



-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

• Previous message (by thread): PCH peering survey 2016
• Next message (by thread): QWEST.NET can you fix your nameservers
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]