QWEST you have broken DNS servers

Mark Andrews marka at isc.org
Wed Sep 12 22:13:32 UTC 2018


Yes please.

> On 13 Sep 2018, at 2:45 am, Anne P. Mitchell, Esq. <amitchell at isipp.com> wrote:
> 
> 
> Would you like us to send this to our Qwest/CenturyLink contact?
> 
> Anne P. Mitchell, 
> Attorney at Law
> GDPR, CCPA (CA) & CCDPA (CO) Compliance Consultant
> Author: Section 6 of the CAN-SPAM Act of 2003 (the Federal anti-spam law)
> Legislative Consultant
> CEO/President, Institute for Social Internet Public Policy
> Legal Counsel: The CyberGreen Institute
> Legal Counsel: The Earth Law Center
> Member, California Bar Association
> Member, Cal. Bar Cyberspace Law Committee
> Member, Colorado Cyber Committee
> Member, Board of Directors, Asilomar Microcomputer Workshop
> Ret. Professor of Law, Lincoln Law School of San Jose
> Ret. Chair, Asilomar Microcomputer Workshop
> 
> 
> 
>> 
>> I know it takes some time to upgrade DNS servers to ones that are actually
>> protocol compliant but 4+ years is ridiculous.  Your servers are the only
>> ones serving the Alexa top 1M sites or the GOV zone that still return BADVERS
>> to EDNS queries with a EDNS option present.  This was behaviour made up by
>> your DNS vendor.  The correct response to EDNS options that are not understood
>> is to IGNORE them.  This allows clients and servers to deploy support for
>> new options independently of each other.
>> 
>> Additionally this is breaking DNSSEC validation of the signed zones your clients
>> have you serving.  They expect you to be using EDNS compliant name servers for
>> this role which you are not.  No, we are not working around this breakage in the
>> resolver.
>> 
>> Mark
>> 
>> % dig soa frc.gov. @208.44.130.121 +norec
>> 
>> ; <<>> DiG 9.12.1 <<>> soa frc.gov. @208.44.130.121 +norec
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: BADVERS, id: 59707
>> ;; flags: qr ad; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>> 
>> ;; OPT PSEUDOSECTION:
>> ; EDNS: version: 0, flags:; udp: 4096
>> ;; Query time: 66 msec
>> ;; SERVER: 208.44.130.121#53(208.44.130.121)
>> ;; WHEN: Tue Sep 11 06:08:41 UTC 2018
>> ;; MSG SIZE  rcvd: 23
>> 
>> % dig soa frc.gov. @208.44.130.121 +norec +nocookie
>> 
>> ; <<>> DiG 9.12.1 <<>> soa frc.gov. @208.44.130.121 +norec +nocookie
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16876
>> ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
>> 
>> ;; OPT PSEUDOSECTION:
>> ; EDNS: version: 0, flags:; udp: 4096
>> ;; QUESTION SECTION:
>> ;frc.gov.			IN	SOA
>> 
>> ;; ANSWER SECTION:
>> frc.gov.		86400	IN	SOA	sauthns2.qwest.net. dns-admin.qwestip.net. 2180320527 10800 3600 604800 86400
>> 
>> ;; AUTHORITY SECTION:
>> frc.gov.		86400	IN	NS	sauthns1.qwest.net.
>> frc.gov.		86400	IN	NS	sauthns2.qwest.net.
>> 
>> ;; Query time: 66 msec
>> ;; SERVER: 208.44.130.121#53(208.44.130.121)
>> ;; WHEN: Tue Sep 11 06:19:33 UTC 2018
>> ;; MSG SIZE  rcvd: 145
>> 
>> % grep ednsopt=badvers reports/alexa1m.2018-08-26T00:00:06Z | grep edns=ok | awk '{print $3}' | sort -u 
>> (sauthns1.qwest.net.):
>> (sauthns2.qwest.net.):
>> % grep ednsopt=badvers reports-full/gov-full.2018-09-11T00:00:06Z  | grep edns=ok | awk '{print $3}' | sort -u
>> (sauthns1.qwest.net.):
>> (sauthns2.qwest.net.):
>> % 
>> 
>> -- 
>> Mark Andrews, ISC
>> 1 Seymour St., Dundas Valley, NSW 2117, Australia
>> PHONE: +61 2 9871 4742              INTERNET: marka at isc.org
>> 
> 
> 

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org



More information about the NANOG mailing list