QWEST you have broken DNS servers
Anne P. Mitchell, Esq.
amitchell at isipp.com
Fri Sep 14 17:42:48 UTC 2018
From Qwest/CL:
"we are aware of the issue and expect this to be resolved next month."
>
> Yes please.
>
>> On 13 Sep 2018, at 2:45 am, Anne P. Mitchell, Esq. <amitchell at isipp.com> wrote:
>>
>>
>> Would you like us to send this to our Qwest/CenturyLink contact?
>>
>> Anne P. Mitchell,
>> Attorney at Law
>> GDPR, CCPA (CA) & CCDPA (CO) Compliance Consultant
>> Author: Section 6 of the CAN-SPAM Act of 2003 (the Federal anti-spam law)
>> Legislative Consultant
>> CEO/President, Institute for Social Internet Public Policy
>> Legal Counsel: The CyberGreen Institute
>> Legal Counsel: The Earth Law Center
>> Member, California Bar Association
>> Member, Cal. Bar Cyberspace Law Committee
>> Member, Colorado Cyber Committee
>> Member, Board of Directors, Asilomar Microcomputer Workshop
>> Ret. Professor of Law, Lincoln Law School of San Jose
>> Ret. Chair, Asilomar Microcomputer Workshop
>>
>>
>>
>>>
>>> I know it takes some time to upgrade DNS servers to ones that are actually
>>> protocol compliant but 4+ years is ridiculous. Your servers are the only
>>> ones serving the Alexa top 1M sites or the GOV zone that still return BADVERS
>>> to EDNS queries with a EDNS option present. This was behaviour made up by
>>> your DNS vendor. The correct response to EDNS options that are not understood
>>> is to IGNORE them. This allows clients and servers to deploy support for
>>> new options independently of each other.
>>>
>>> Additionally this is breaking DNSSEC validation of the signed zones your clients
>>> have you serving. They expect you to be using EDNS compliant name servers for
>>> this role which you are not. No, we are not working around this breakage in the
>>> resolver.
>>>
>>> Mark
>>>
>>> % dig soa frc.gov. @208.44.130.121 +norec
>>>
>>> ; <<>> DiG 9.12.1 <<>> soa frc.gov. @208.44.130.121 +norec
>>> ;; global options: +cmd
>>> ;; Got answer:
>>> ;; ->>HEADER<<- opcode: QUERY, status: BADVERS, id: 59707
>>> ;; flags: qr ad; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>>>
>>> ;; OPT PSEUDOSECTION:
>>> ; EDNS: version: 0, flags:; udp: 4096
>>> ;; Query time: 66 msec
>>> ;; SERVER: 208.44.130.121#53(208.44.130.121)
>>> ;; WHEN: Tue Sep 11 06:08:41 UTC 2018
>>> ;; MSG SIZE rcvd: 23
>>>
>>> % dig soa frc.gov. @208.44.130.121 +norec +nocookie
>>>
>>> ; <<>> DiG 9.12.1 <<>> soa frc.gov. @208.44.130.121 +norec +nocookie
>>> ;; global options: +cmd
>>> ;; Got answer:
>>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16876
>>> ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
>>>
>>> ;; OPT PSEUDOSECTION:
>>> ; EDNS: version: 0, flags:; udp: 4096
>>> ;; QUESTION SECTION:
>>> ;frc.gov. IN SOA
>>>
>>> ;; ANSWER SECTION:
>>> frc.gov. 86400 IN SOA sauthns2.qwest.net. dns-admin.qwestip.net. 2180320527 10800 3600 604800 86400
>>>
>>> ;; AUTHORITY SECTION:
>>> frc.gov. 86400 IN NS sauthns1.qwest.net.
>>> frc.gov. 86400 IN NS sauthns2.qwest.net.
>>>
>>> ;; Query time: 66 msec
>>> ;; SERVER: 208.44.130.121#53(208.44.130.121)
>>> ;; WHEN: Tue Sep 11 06:19:33 UTC 2018
>>> ;; MSG SIZE rcvd: 145
>>>
>>> % grep ednsopt=badvers reports/alexa1m.2018-08-26T00:00:06Z | grep edns=ok | awk '{print $3}' | sort -u
>>> (sauthns1.qwest.net.):
>>> (sauthns2.qwest.net.):
>>> % grep ednsopt=badvers reports-full/gov-full.2018-09-11T00:00:06Z | grep edns=ok | awk '{print $3}' | sort -u
>>> (sauthns1.qwest.net.):
>>> (sauthns2.qwest.net.):
>>> %
>>>
>>> --
>>> Mark Andrews, ISC
>>> 1 Seymour St., Dundas Valley, NSW 2117, Australia
>>> PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
>>>
>>
>>
>
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
>
More information about the NANOG
mailing list