QWEST you have broken DNS servers

Mark Andrews marka at isc.org
Tue Sep 11 06:30:40 UTC 2018


I know it takes some time to upgrade DNS servers to ones that are actually
protocol compliant but 4+ years is ridiculous.  Your servers are the only
ones serving the Alexa top 1M sites or the GOV zone that still return BADVERS
to EDNS queries with a EDNS option present.  This was behaviour made up by
your DNS vendor.  The correct response to EDNS options that are not understood
is to IGNORE them.  This allows clients and servers to deploy support for
new options independently of each other.

Additionally this is breaking DNSSEC validation of the signed zones your clients
have you serving.  They expect you to be using EDNS compliant name servers for
this role which you are not.  No, we are not working around this breakage in the
resolver.

Mark

% dig soa frc.gov. @208.44.130.121 +norec

; <<>> DiG 9.12.1 <<>> soa frc.gov. @208.44.130.121 +norec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: BADVERS, id: 59707
;; flags: qr ad; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; Query time: 66 msec
;; SERVER: 208.44.130.121#53(208.44.130.121)
;; WHEN: Tue Sep 11 06:08:41 UTC 2018
;; MSG SIZE  rcvd: 23

% dig soa frc.gov. @208.44.130.121 +norec +nocookie

; <<>> DiG 9.12.1 <<>> soa frc.gov. @208.44.130.121 +norec +nocookie
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16876
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;frc.gov.			IN	SOA

;; ANSWER SECTION:
frc.gov.		86400	IN	SOA	sauthns2.qwest.net. dns-admin.qwestip.net. 2180320527 10800 3600 604800 86400

;; AUTHORITY SECTION:
frc.gov.		86400	IN	NS	sauthns1.qwest.net.
frc.gov.		86400	IN	NS	sauthns2.qwest.net.

;; Query time: 66 msec
;; SERVER: 208.44.130.121#53(208.44.130.121)
;; WHEN: Tue Sep 11 06:19:33 UTC 2018
;; MSG SIZE  rcvd: 145

% grep ednsopt=badvers reports/alexa1m.2018-08-26T00:00:06Z | grep edns=ok | awk '{print $3}' | sort -u 
(sauthns1.qwest.net.):
(sauthns2.qwest.net.):
% grep ednsopt=badvers reports-full/gov-full.2018-09-11T00:00:06Z  | grep edns=ok | awk '{print $3}' | sort -u
(sauthns1.qwest.net.):
(sauthns2.qwest.net.):
% 

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org




More information about the NANOG mailing list