QWEST you have broken DNS servers

Anne P. Mitchell, Esq. amitchell at isipp.com
Fri Sep 14 17:42:48 UTC 2018


From Qwest/CL:

"we are aware of the issue and expect this to be resolved next month."

 
> 
> Yes please.
> 
>> On 13 Sep 2018, at 2:45 am, Anne P. Mitchell, Esq. <amitchell at isipp.com> wrote:
>> 
>> 
>> Would you like us to send this to our Qwest/CenturyLink contact?
>> 
>> Anne P. Mitchell, 
>> Attorney at Law
>> GDPR, CCPA (CA) & CCDPA (CO) Compliance Consultant
>> Author: Section 6 of the CAN-SPAM Act of 2003 (the Federal anti-spam law)
>> Legislative Consultant
>> CEO/President, Institute for Social Internet Public Policy
>> Legal Counsel: The CyberGreen Institute
>> Legal Counsel: The Earth Law Center
>> Member, California Bar Association
>> Member, Cal. Bar Cyberspace Law Committee
>> Member, Colorado Cyber Committee
>> Member, Board of Directors, Asilomar Microcomputer Workshop
>> Ret. Professor of Law, Lincoln Law School of San Jose
>> Ret. Chair, Asilomar Microcomputer Workshop
>> 
>> 
>> 
>>> 
>>> I know it takes some time to upgrade DNS servers to ones that are actually
>>> protocol compliant but 4+ years is ridiculous.  Your servers are the only
>>> ones serving the Alexa top 1M sites or the GOV zone that still return BADVERS
>>> to EDNS queries with a EDNS option present.  This was behaviour made up by
>>> your DNS vendor.  The correct response to EDNS options that are not understood
>>> is to IGNORE them.  This allows clients and servers to deploy support for
>>> new options independently of each other.
>>> 
>>> Additionally this is breaking DNSSEC validation of the signed zones your clients
>>> have you serving.  They expect you to be using EDNS compliant name servers for
>>> this role which you are not.  No, we are not working around this breakage in the
>>> resolver.
>>> 
>>> Mark
>>> 
>>> % dig soa frc.gov. @208.44.130.121 +norec
>>> 
>>> ; <<>> DiG 9.12.1 <<>> soa frc.gov. @208.44.130.121 +norec
>>> ;; global options: +cmd
>>> ;; Got answer:
>>> ;; ->>HEADER<<- opcode: QUERY, status: BADVERS, id: 59707
>>> ;; flags: qr ad; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>>> 
>>> ;; OPT PSEUDOSECTION:
>>> ; EDNS: version: 0, flags:; udp: 4096
>>> ;; Query time: 66 msec
>>> ;; SERVER: 208.44.130.121#53(208.44.130.121)
>>> ;; WHEN: Tue Sep 11 06:08:41 UTC 2018
>>> ;; MSG SIZE  rcvd: 23
>>> 
>>> % dig soa frc.gov. @208.44.130.121 +norec +nocookie
>>> 
>>> ; <<>> DiG 9.12.1 <<>> soa frc.gov. @208.44.130.121 +norec +nocookie
>>> ;; global options: +cmd
>>> ;; Got answer:
>>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16876
>>> ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
>>> 
>>> ;; OPT PSEUDOSECTION:
>>> ; EDNS: version: 0, flags:; udp: 4096
>>> ;; QUESTION SECTION:
>>> ;frc.gov.			IN	SOA
>>> 
>>> ;; ANSWER SECTION:
>>> frc.gov.		86400	IN	SOA	sauthns2.qwest.net. dns-admin.qwestip.net. 2180320527 10800 3600 604800 86400
>>> 
>>> ;; AUTHORITY SECTION:
>>> frc.gov.		86400	IN	NS	sauthns1.qwest.net.
>>> frc.gov.		86400	IN	NS	sauthns2.qwest.net.
>>> 
>>> ;; Query time: 66 msec
>>> ;; SERVER: 208.44.130.121#53(208.44.130.121)
>>> ;; WHEN: Tue Sep 11 06:19:33 UTC 2018
>>> ;; MSG SIZE  rcvd: 145
>>> 
>>> % grep ednsopt=badvers reports/alexa1m.2018-08-26T00:00:06Z | grep edns=ok | awk '{print $3}' | sort -u 
>>> (sauthns1.qwest.net.):
>>> (sauthns2.qwest.net.):
>>> % grep ednsopt=badvers reports-full/gov-full.2018-09-11T00:00:06Z  | grep edns=ok | awk '{print $3}' | sort -u
>>> (sauthns1.qwest.net.):
>>> (sauthns2.qwest.net.):
>>> % 
>>> 
>>> -- 
>>> Mark Andrews, ISC
>>> 1 Seymour St., Dundas Valley, NSW 2117, Australia
>>> PHONE: +61 2 9871 4742              INTERNET: marka at isc.org
>>> 
>> 
>> 
> 
> -- 
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742              INTERNET: marka at isc.org
> 




More information about the NANOG mailing list