20732 is a little small for a experimental option code but the server should be ignoring it anyway if it doesn't understand it.
Firewalls are just too picky over DNS queries. It is well formed it should be passed. Let the nameserver behind deal with it. About 5-6% of nameserver / firewall combinations get this wrong. There are well defined behaviours specified in RFC 6891 for how to handle unknown EDNS options, versions and flags. The firewall doesn't need to scrub queries setting any of these. If your nameserver / firewall is not doing the right thing then you need to FIX IT! I'm going to be talking about EDNS compliance at IETF but if you want to see some pretty graphs http://users.isc.org/~marka/ts.html. Look for the Firewalls by Type graphs. The kinks in the AU graphs at the end are due to the graphs being done on partial datasets. The run takes a little over 24 hour to complete and the properties are not uniform over the dataset so disregard the last data point. Mark In message <caeu_gmez8jcgw8adkir8cdp0ackivvfwuyvy1rpv4jkd9dt...@mail.gmail.com> , Mohamed Lrhazi writes: > --===============6806851822810879355== > Content-Type: multipart/alternative; boundary=001a1134e054e208f305051714c1 > > --001a1134e054e208f305051714c1 > Content-Type: text/plain; charset=UTF-8 > Content-Transfer-Encoding: quoted-printable > > F5 are asking me for time to debug.. while Google is saying "All our > appliances do this, nobody else is complaining...".. Just saying, I prefer > the former response so far. > > Thanks, > Mohamed. > > On Fri, Oct 10, 2014 at 3:20 PM, Jared Mauch <[email protected]> wrote: > > > > > > On Oct 10, 2014, at 2:54 PM, Hugo Salgado <[email protected]> wrote: > > > > > > > > > On 10/10/2014 03:24 PM, Roland Dobbins wrote: > > >> > > >> On Oct 11, 2014, at 1:07 AM, Mohamed Lrhazi < > > [email protected]> wrote: > > >> > > >>> The appliance vendor, Google, tells me that edns0 opt code 20732 must > > be "the service name", whatever that means.... > > >> > > >> I don't know what that means in the context of a non-SRV query . . . > > can you turn off the F5's 'malformed DNS query' scrubbing and see what > > happens? > > >> > > > > > > Well... F5 is known of misbehavior with its aggressive filtering, > > > even with AAAA records some time ago: > > > http://hugo.salga.do/post/50030273426/quad-a-blocking-in-dns > > > > I=E2=80=99ve never had success with F5 and DNS packet handling properly g= > oing all > > the way back to Nov 1998 timeframe. One of their engineers was > > troubleshooting it in our offices of my employer at the time and ended up > > upset and saying =E2=80=9Cwhy doesn=E2=80=99t this work=E2=80=9D when it = > was broken vs being able > > to properly triage it. > > > > I=E2=80=99m expecting someone from F5 to email me because at the time whe= > n I > > posted about the issue on NANOG they were aggressive in trying to defend = > a > > public view of their product and legitimate technical problems. > > > > - Jared > > _______________________________________________ > > dns-operations mailing list > > [email protected] > > https://lists.dns-oarc.net/mailman/listinfo/dns-operations > > dns-jobs mailing list > > https://lists.dns-oarc.net/mailman/listinfo/dns-jobs > > > > --001a1134e054e208f305051714c1 > Content-Type: text/html; charset=UTF-8 > Content-Transfer-Encoding: quoted-printable > > <div dir=3D"ltr">F5 are asking me for time to debug.. while Google is sayin= > g "All our appliances do this, nobody else is complaining...".. J= > ust saying, I prefer the former response so far.<div><br></div><div>Thanks,= > </div><div>Mohamed.</div></div><div class=3D"gmail_extra"><br><div class=3D= > "gmail_quote">On Fri, Oct 10, 2014 at 3:20 PM, Jared Mauch <span dir=3D"ltr= > "><<a href=3D"mailto:[email protected]"; target=3D"_blank">jared@puck= > .nether.net</a>></span> wrote:<br><blockquote class=3D"gmail_quote" styl= > e=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span c= > lass=3D""><br> > > On Oct 10, 2014, at 2:54 PM, Hugo Salgado <<a href=3D"mailto:hsalga= > [email protected]">[email protected]</a>> wrote:<br> > ><br> > ><br> > > On 10/10/2014 03:24 PM, Roland Dobbins wrote:<br> > >><br> > >> On Oct 11, 2014, at 1:07 AM, Mohamed Lrhazi <<a href=3D"mailto:= > [email protected]">[email protected]</a>> wrote:= > <br> > >><br> > >>> The appliance vendor, Google, tells me that edns0 opt code 207= > 32 must be "the service name", whatever that means....<br> > >><br> > >> I don't know what that means in the context of a non-SRV query= > . . . can you turn off the F5's 'malformed DNS query' scrubbin= > g and see what happens?<br> > >><br> > ><br> > > Well... F5 is known of misbehavior with its aggressive filtering,<br> > > even with AAAA records some time ago:<br> > >=C2=A0 <a href=3D"http://hugo.salga.do/post/50030273426/quad-a-blocking= > -in-dns" target=3D"_blank">http://hugo.salga.do/post/50030273426/quad-a-blo= > cking-in-dns</a><br> > <br> > </span>I=E2=80=99ve never had success with F5 and DNS packet handling prope= > rly going all the way back to Nov 1998 timeframe.=C2=A0 One of their engine= > ers was troubleshooting it in our offices of my employer at the time and en= > ded up upset and saying =E2=80=9Cwhy doesn=E2=80=99t this work=E2=80=9D whe= > n it was broken vs being able to properly triage it.<br> > <br> > I=E2=80=99m expecting someone from F5 to email me because at the time when = > I posted about the issue on NANOG they were aggressive in trying to defend = > a public view of their product and legitimate technical problems.<br> > <span class=3D"HOEnZb"><font color=3D"#888888"><br> > - Jared<br> > </font></span><div class=3D"HOEnZb"><div class=3D"h5">_____________________= > __________________________<br> > dns-operations mailing list<br> > <a href=3D"mailto:[email protected]";>[email protected]= > ns-oarc.net</a><br> > <a href=3D"https://lists.dns-oarc.net/mailman/listinfo/dns-operations > dns-jobs" target=3D"_blank">https://lists.dns-oarc.net/mailman/listinfo/dns= > -operations<br> > dns-jobs</a> mailing list<br> > <a href=3D"https://lists.dns-oarc.net/mailman/listinfo/dns-jobs"; target=3D"= > _blank">https://lists.dns-oarc.net/mailman/listinfo/dns-jobs</a></div></div= > ></blockquote></div><br></div> > > --001a1134e054e208f305051714c1-- > > --===============6806851822810879355== > Content-Type: text/plain; charset="us-ascii" > MIME-Version: 1.0 > Content-Transfer-Encoding: 7bit > Content-Disposition: inline > > _______________________________________________ > dns-operations mailing list > [email protected] > https://lists.dns-oarc.net/mailman/listinfo/dns-operations > dns-jobs mailing list > https://lists.dns-oarc.net/mailman/listinfo/dns-jobs > --===============6806851822810879355==-- -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
