There are stupid firewalls that drop DNS queries with the last reserved bit set. This should be ignored by the nameserver.
There are stupid firewalls that drop DNS queries with DO=1. This breaks DNSSEC. Most of these are gone now but some still exist. They took years to effectively remove from the eco-system and in the meantime resolver vendors had to code around them. There are stupid firewalls that drop DNS queries with the AD=1. This breaks RFC 6840, AD signalling that answer are secure. There are stupid firewalls that drop DNS queries with a EDNS flag bit set. This breaks RFC2671/RFC6891. Documented as to be ignored. There are stupid firewalls that drop DNS queries with a EDNS version not equal zero. This breaks RFC2671/RFC6891 EDNS version negotiation. BADVERS is documented response. If you EDNS(0) to a non EDNS aware server there is no reason to not let through EDNS(1) as they are equally as "dangerous" to such a server. If the server is EDNS aware it should just return BADVERS. There are stupid firewalls that drop DNS queries with unknown EDNS options This breaks RFC6891 (RFC2671 was silent on this). Unknown options are supposed to be ignored. There are stupid firewalls that drop DNS queries that are not in some type list. This breaks RFC 1034/RFC 1035. The DNS is a query response protocol. These firewalls are not providing any "security" benefit to anyone by doing this. All they are doing is stuffing up the ability to deploy protocol extensions. Require resolver vendors to deploy hacks to try to determine the packet loss is due to a DNS feature or just normal packet loss due to congestion / bad checksums. Make DNS resolution slower and cause DNSSEC validation to fail when the hacks make the wrong determination of the packet loss causes. You can find graphs which a lot of this breakage here as well as a tester. See https://ednscomp.isc.org/ -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
