DNS Flag Day, Friday, Feb 1st, 2019

Mark Andrews marka at isc.org
Thu Jan 24 12:46:09 UTC 2019


We see Juniper firewalls blocking EDNS(1) and NSID by default.
We see Checkpoint firewalls blocking EDNS(1) and EDNS flags by default.
There is a another vendor that blocks EDNS(1).

Juniper and Checkpoint have newer code that doesn’t do this.  The old
firewalls are still out there however.  You can see them easily when
you are doing bulk testing and mark timeouts in a different colour.

Please go look at the reports on https://ednscomp.isc.org to see how
obvious they are.  There were times in the last 4 years where over
50% of the tested servers were dropping EDNS(1) queries.  With drop
rates like that you limited the ability of the IETF to use EDNS(1) to
fix issues with EDNS correctly.  The RFC 6891 would have included a
version bump except for these stupid firewalls.  The clarification of
unknown EDNS option behaviour warranted a version bump.

Blocking any of the extension mechanisms (version, flag or option) isn’t
doing anyone any benefit.  If you have a firewall that does it please
FIX IT.

> On 24 Jan 2019, at 10:13 pm, Mark Andrews <marka at isc.org> wrote:
> 
> 
> 
>> On 24 Jan 2019, at 9:02 pm, Mike Meredith <mike.meredith at port.ac.uk> wrote:
>> 
>> On Thu, 24 Jan 2019 11:22:44 +1100, Mark Andrews <marka at isc.org> may have
>> written:
>>> If you run a firewall in front of your DNS server you may be broken.
>> 
>> If you run a firewall in front of your DNS server and the firewall breaks
>> EDNS, then your firewall is broken. And has been a long, long time. I put a
>> firewall in place back in 2004, and EDNS compliance was one of the tests
>> back then.
> 
> EDNS usage has changed since them.  Back in 2004 there was zero use of EDNS
> options in queries.  That is no longer true.  NSID (RFC 5001) the first option
> to make it into main stream code was allocated in 2007 and that saw occasional
> use.  DNS COOKIE has been in every query named has emitted since BIND 9.11.0 and
> in late BIND 9.10 versions.  Lots of firewalls still reject it.
> 
>> -- 
>> Mike Meredith, University of Portsmouth
>> Chief Systems Engineer, Hostmaster, Security, and Timelord!
>> 
> 
> -- 
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742              INTERNET: marka at isc.org
> 

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org



More information about the NANOG mailing list