QWEST you have broken DNS servers

Anne P. Mitchell, Esq. amitchell at isipp.com
Wed Sep 12 16:45:29 UTC 2018


Would you like us to send this to our Qwest/CenturyLink contact?

Anne P. Mitchell, 
Attorney at Law
GDPR, CCPA (CA) & CCDPA (CO) Compliance Consultant
Author: Section 6 of the CAN-SPAM Act of 2003 (the Federal anti-spam law)
Legislative Consultant
CEO/President, Institute for Social Internet Public Policy
Legal Counsel: The CyberGreen Institute
Legal Counsel: The Earth Law Center
Member, California Bar Association
Member, Cal. Bar Cyberspace Law Committee
Member, Colorado Cyber Committee
Member, Board of Directors, Asilomar Microcomputer Workshop
Ret. Professor of Law, Lincoln Law School of San Jose
Ret. Chair, Asilomar Microcomputer Workshop


 
> 
> I know it takes some time to upgrade DNS servers to ones that are actually
> protocol compliant but 4+ years is ridiculous.  Your servers are the only
> ones serving the Alexa top 1M sites or the GOV zone that still return BADVERS
> to EDNS queries with a EDNS option present.  This was behaviour made up by
> your DNS vendor.  The correct response to EDNS options that are not understood
> is to IGNORE them.  This allows clients and servers to deploy support for
> new options independently of each other.
> 
> Additionally this is breaking DNSSEC validation of the signed zones your clients
> have you serving.  They expect you to be using EDNS compliant name servers for
> this role which you are not.  No, we are not working around this breakage in the
> resolver.
> 
> Mark
> 
> % dig soa frc.gov. @208.44.130.121 +norec
> 
> ; <<>> DiG 9.12.1 <<>> soa frc.gov. @208.44.130.121 +norec
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: BADVERS, id: 59707
> ;; flags: qr ad; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; Query time: 66 msec
> ;; SERVER: 208.44.130.121#53(208.44.130.121)
> ;; WHEN: Tue Sep 11 06:08:41 UTC 2018
> ;; MSG SIZE  rcvd: 23
> 
> % dig soa frc.gov. @208.44.130.121 +norec +nocookie
> 
> ; <<>> DiG 9.12.1 <<>> soa frc.gov. @208.44.130.121 +norec +nocookie
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16876
> ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;frc.gov.			IN	SOA
> 
> ;; ANSWER SECTION:
> frc.gov.		86400	IN	SOA	sauthns2.qwest.net. dns-admin.qwestip.net. 2180320527 10800 3600 604800 86400
> 
> ;; AUTHORITY SECTION:
> frc.gov.		86400	IN	NS	sauthns1.qwest.net.
> frc.gov.		86400	IN	NS	sauthns2.qwest.net.
> 
> ;; Query time: 66 msec
> ;; SERVER: 208.44.130.121#53(208.44.130.121)
> ;; WHEN: Tue Sep 11 06:19:33 UTC 2018
> ;; MSG SIZE  rcvd: 145
> 
> % grep ednsopt=badvers reports/alexa1m.2018-08-26T00:00:06Z | grep edns=ok | awk '{print $3}' | sort -u 
> (sauthns1.qwest.net.):
> (sauthns2.qwest.net.):
> % grep ednsopt=badvers reports-full/gov-full.2018-09-11T00:00:06Z  | grep edns=ok | awk '{print $3}' | sort -u
> (sauthns1.qwest.net.):
> (sauthns2.qwest.net.):
> % 
> 
> -- 
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742              INTERNET: marka at isc.org
> 




More information about the NANOG mailing list