In message <caeu_gmdjuz5pn5ae9w850dnd5vjummrlzw0t+v1thuzekgq...@mail.gmail.com>, Mohamed Lrhazi writes: > > Thanks Mark. Where do I get the dig with +ednsopt ?
https://source.isc.org You will need the master branch +ednsopt will be in BIND 9.11. dig +sit / +nsid / +expire all add edns options to the query and are available in BIND 9.10 > root@5df5dd95aeae:/# dig -v > DiG 9.10.1 > root@5df5dd95aeae:/# dig -h|grep edns > +subnet=addr (Set edns-client-subnet option) > +[no]edns[=###] (Set EDNS version) [0] > root@5df5dd95aeae:/# > root@5df5dd95aeae:/# dig +ednsopt=100 > Invalid option: +ednsopt=100 > > > > On Fri, Oct 10, 2014 at 6:10 PM, Mark Andrews <[email protected]> wrote: > > > > > 20732 is a little small for a experimental option code but the server > > should be ignoring it anyway if it doesn't understand it. > > > > Firewalls are just too picky over DNS queries. It is well formed > > it should be passed. Let the nameserver behind deal with it. About > > 5-6% of nameserver / firewall combinations get this wrong. There > > are well defined behaviours specified in RFC 6891 for how to handle > > unknown EDNS options, versions and flags. The firewall doesn't > > need to scrub queries setting any of these. > > > > If your nameserver / firewall is not doing the right thing then > > you need to FIX IT! > > > > I'm going to be talking about EDNS compliance at IETF but if you > > want to see some pretty graphs http://users.isc.org/~marka/ts.html. > > > > Look for the Firewalls by Type graphs. > > > > The kinks in the AU graphs at the end are due to the graphs being > > done on partial datasets. The run takes a little over 24 hour to > > complete and the properties are not uniform over the dataset so > > disregard the last data point. > > > > Mark > > > > > > In message < > > caeu_gmez8jcgw8adkir8cdp0ackivvfwuyvy1rpv4jkd9dt...@mail.gmail.com> > > , Mohamed Lrhazi writes: > > > --===============6806851822810879355== > > > Content-Type: multipart/alternative; > > boundary=001a1134e054e208f305051714c1 > > > > > > --001a1134e054e208f305051714c1 > > > Content-Type: text/plain; charset=UTF-8 > > > Content-Transfer-Encoding: quoted-printable > > > > > > F5 are asking me for time to debug.. while Google is saying "All our > > > appliances do this, nobody else is complaining...".. Just saying, I > > prefer > > > the former response so far. > > > > > > Thanks, > > > Mohamed. > > > > > > On Fri, Oct 10, 2014 at 3:20 PM, Jared Mauch <[email protected]> > > wrote: > > > > > > > > > > > > On Oct 10, 2014, at 2:54 PM, Hugo Salgado <[email protected]> wrote: > > > > > > > > > > > > > > > On 10/10/2014 03:24 PM, Roland Dobbins wrote: > > > > >> > > > > >> On Oct 11, 2014, at 1:07 AM, Mohamed Lrhazi < > > > > [email protected]> wrote: > > > > >> > > > > >>> The appliance vendor, Google, tells me that edns0 opt code 20732 > > must > > > > be "the service name", whatever that means.... > > > > >> > > > > >> I don't know what that means in the context of a non-SRV query . . . > > > > can you turn off the F5's 'malformed DNS query' scrubbing and see what > > > > happens? > > > > >> > > > > > > > > > > Well... F5 is known of misbehavior with its aggressive filtering, > > > > > even with AAAA records some time ago: > > > > > http://hugo.salga.do/post/50030273426/quad-a-blocking-in-dns > > > > > > > > I=E2=80=99ve never had success with F5 and DNS packet handling > > properly g= > > > oing all > > > > the way back to Nov 1998 timeframe. One of their engineers was > > > > troubleshooting it in our offices of my employer at the time and ended > > up > > > > upset and saying =E2=80=9Cwhy doesn=E2=80=99t this work=E2=80=9D when > > it = > > > was broken vs being able > > > > to properly triage it. > > > > > > > > I=E2=80=99m expecting someone from F5 to email me because at the time > > whe= > > > n I > > > > posted about the issue on NANOG they were aggressive in trying to > > defend = > > > a > > > > public view of their product and legitimate technical problems. > > > > > > > > - Jared > > > > _______________________________________________ > > > > dns-operations mailing list > > > > [email protected] > > > > https://lists.dns-oarc.net/mailman/listinfo/dns-operations > > > > dns-jobs mailing list > > > > https://lists.dns-oarc.net/mailman/listinfo/dns-jobs > > > > > > > > > > --001a1134e054e208f305051714c1 > > > Content-Type: text/html; charset=UTF-8 > > > Content-Transfer-Encoding: quoted-printable > > > > > > <div dir=3D"ltr">F5 are asking me for time to debug.. while Google is > > sayin= > > > g "All our appliances do this, nobody else is > > complaining...".. J= > > > ust saying, I prefer the former response so > > far.<div><br></div><div>Thanks,= > > > </div><div>Mohamed.</div></div><div class=3D"gmail_extra"><br><div > > class=3D= > > > "gmail_quote">On Fri, Oct 10, 2014 at 3:20 PM, Jared Mauch <span > > dir=3D"ltr= > > > "><<a href=3D"mailto:[email protected]"; > > target=3D"_blank">jared@puck= > > > .nether.net</a>></span> wrote:<br><blockquote class=3D"gmail_quote" > > styl= > > > e=3D"margin:0 0 0 .8ex;border-left:1px #ccc > > solid;padding-left:1ex"><span c= > > > lass=3D""><br> > > > > On Oct 10, 2014, at 2:54 PM, Hugo Salgado <<a href=3D"mailto: > > hsalga= > > > [email protected]">[email protected]</a>> wrote:<br> > > > ><br> > > > ><br> > > > > On 10/10/2014 03:24 PM, Roland Dobbins wrote:<br> > > > >><br> > > > >> On Oct 11, 2014, at 1:07 AM, Mohamed Lrhazi <<a > > href=3D"mailto:= > > > [email protected]">[email protected]</a>> > > wrote:= > > > <br> > > > >><br> > > > >>> The appliance vendor, Google, tells me that edns0 opt code > > 207= > > > 32 must be "the service name", whatever that means....<br> > > > >><br> > > > >> I don't know what that means in the context of a non-SRV > > query= > > > . . . can you turn off the F5's 'malformed DNS query' > > scrubbin= > > > g and see what happens?<br> > > > >><br> > > > ><br> > > > > Well... F5 is known of misbehavior with its aggressive > > filtering,<br> > > > > even with AAAA records some time ago:<br> > > > >=C2=A0 <a href=3D" > > http://hugo.salga.do/post/50030273426/quad-a-blocking= > > > -in-dns" target=3D"_blank"> > > http://hugo.salga.do/post/50030273426/quad-a-blo= > > > cking-in-dns</a><br> > > > <br> > > > </span>I=E2=80=99ve never had success with F5 and DNS packet handling > > prope= > > > rly going all the way back to Nov 1998 timeframe.=C2=A0 One of their > > engine= > > > ers was troubleshooting it in our offices of my employer at the time and > > en= > > > ded up upset and saying =E2=80=9Cwhy doesn=E2=80=99t this work=E2=80=9D > > whe= > > > n it was broken vs being able to properly triage it.<br> > > > <br> > > > I=E2=80=99m expecting someone from F5 to email me because at the time > > when = > > > I posted about the issue on NANOG they were aggressive in trying to > > defend = > > > a public view of their product and legitimate technical problems.<br> > > > <span class=3D"HOEnZb"><font color=3D"#888888"><br> > > > - Jared<br> > > > </font></span><div class=3D"HOEnZb"><div > > class=3D"h5">_____________________= > > > __________________________<br> > > > dns-operations mailing list<br> > > > <a href=3D"mailto:[email protected] > > ">[email protected]= > > > ns-oarc.net</a><br> > > > <a href=3D"https://lists.dns-oarc.net/mailman/listinfo/dns-operations > > > dns-jobs" target=3D"_blank"> > > https://lists.dns-oarc.net/mailman/listinfo/dns= > > > -operations<br> > > > dns-jobs</a> mailing list<br> > > > <a href=3D"https://lists.dns-oarc.net/mailman/listinfo/dns-jobs"; > > target=3D"= > > > _blank">https://lists.dns-oarc.net/mailman/listinfo/dns-jobs > > </a></div></div= > > > ></blockquote></div><br></div> > > > > > > --001a1134e054e208f305051714c1-- > > > > > > --===============6806851822810879355== > > > Content-Type: text/plain; charset="us-ascii" > > > MIME-Version: 1.0 > > > Content-Transfer-Encoding: 7bit > > > Content-Disposition: inline > > > > > > _______________________________________________ > > > dns-operations mailing list > > > [email protected] > > > https://lists.dns-oarc.net/mailman/listinfo/dns-operations > > > dns-jobs mailing list > > > https://lists.dns-oarc.net/mailman/listinfo/dns-jobs > > > --===============6806851822810879355==-- > > -- > > Mark Andrews, ISC > > 1 Seymour St., Dundas Valley, NSW 2117, Australia > > PHONE: +61 2 9871 4742 INTERNET: [email protected] > > > > --047d7b5dbcfad323fe05051ebd49 > Content-Type: text/html; charset=UTF-8 > Content-Transfer-Encoding: quoted-printable > > <div dir=3D"ltr">Thanks Mark. Where do I get the dig with +ednsopt ?<div><b= > r></div><div><div>root@5df5dd95aeae:/# dig -v</div><div>DiG 9.10.1</div><di= > v>root@5df5dd95aeae:/# dig -h|grep edns</div><div>=C2=A0 =C2=A0 =C2=A0 =C2= > =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0+subnet=3Daddr =C2=A0 =C2=A0 =C2=A0 = > =C2=A0(Set edns-client-subnet option)</div><div>=C2=A0 =C2=A0 =C2=A0 =C2=A0= > =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0+[no]edns[=3D###] =C2=A0 =C2=A0 (Set EDN= > S version) [0]</div><div>root@5df5dd95aeae:/#=C2=A0</div></div><div><div>ro= > ot@5df5dd95aeae:/# dig +ednsopt=3D100=C2=A0</div><div>Invalid option: +edns= > opt=3D100</div></div><div><br></div><div><br></div></div><div class=3D"gmai= > l_extra"><br><div class=3D"gmail_quote">On Fri, Oct 10, 2014 at 6:10 PM, Ma= > rk Andrews <span dir=3D"ltr"><<a href=3D"mailto:[email protected]"; target=3D= > "_blank">[email protected]</a>></span> wrote:<br><blockquote class=3D"gmail_= > quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1= > ex"><br> > 20732 is a little small for a experimental option code but the server<br> > should be ignoring it anyway if it doesn't understand it.<br> > <br> > Firewalls are just too picky over DNS queries.=C2=A0 It is well formed<br> > it should be passed.=C2=A0 Let the nameserver behind deal with it.=C2=A0 Ab= > out<br> > 5-6% of nameserver / firewall combinations get this wrong.=C2=A0 There<br> > are well defined behaviours specified in RFC 6891 for how to handle<br> > unknown EDNS options, versions and flags.=C2=A0 The firewall doesn't<br= > > > need to scrub queries setting any of these.<br> > <br> > If your nameserver / firewall is not doing the right thing then<br> > you need to FIX IT!<br> > <br> > I'm going to be talking about EDNS compliance at IETF but if you<br> > want to see some pretty graphs <a href=3D"http://users.isc.org/~marka/ts.ht= > ml" target=3D"_blank">http://users.isc.org/~marka/ts.html</a>.<br> > <br> > Look for the Firewalls by Type graphs.<br> > <br> > The kinks in the AU graphs at the end are due to the graphs being<br> > done on partial datasets.=C2=A0 The run takes a little over 24 hour to<br> > complete and the properties are not uniform over the dataset so<br> > disregard the last data point.<br> > <br> > Mark<br> > <br> > <br> > In message <<a href=3D"mailto:CAEU_gmeZ8JCgw8adKiR8CDp0ackiVvFwuyvY1rpv4= > [email protected]">CAEU_gmeZ8JCgw8adKiR8CDp0ackiVvFwuyvY1rpv4JKD9DtH= > [email protected]</a>><br> > , Mohamed Lrhazi writes:<br> > > --=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D6806851822810879355=3D= > =3D<br> > > Content-Type: multipart/alternative; boundary=3D001a1134e054e208f30505= > 1714c1<br> > ><br> > > --001a1134e054e208f305051714c1<br> > > Content-Type: text/plain; charset=3DUTF-8<br> > > Content-Transfer-Encoding: quoted-printable<br> > <span class=3D"">><br> > > F5 are asking me for time to debug.. while Google is saying "All = > our<br> > > appliances do this, nobody else is complaining...".. Just saying,= > I prefer<br> > > the former response so far.<br> > ><br> > > Thanks,<br> > > Mohamed.<br> > ><br> > > On Fri, Oct 10, 2014 at 3:20 PM, Jared Mauch <<a href=3D"mailto:jar= > [email protected]">[email protected]</a>> wrote:<br> > ><br> > > ><br> > > > > On Oct 10, 2014, at 2:54 PM, Hugo Salgado <<a href=3D"mai= > lto:[email protected]">[email protected]</a>> wrote:<br> > > > ><br> > > > ><br> > > > > On 10/10/2014 03:24 PM, Roland Dobbins wrote:<br> > > > >><br> > > > >> On Oct 11, 2014, at 1:07 AM, Mohamed Lrhazi <<br> > > > <a href=3D"mailto:[email protected]";>Mohamed.Lrhazi@g= > eorgetown.edu</a>> wrote:<br> > > > >><br> > > > >>> The appliance vendor, Google, tells me that edns0 op= > t code 20732 must<br> > > > be "the service name", whatever that means....<br> > > > >><br> > > > >> I don't know what that means in the context of a non= > -SRV query . . .<br> > > > can you turn off the F5's 'malformed DNS query' scrub= > bing and see what<br> > > > happens?<br> > > > >><br> > > > ><br> > > > > Well... F5 is known of misbehavior with its aggressive filte= > ring,<br> > > > > even with AAAA records some time ago:<br> > > > >=C2=A0 <a href=3D"http://hugo.salga.do/post/50030273426/quad-= > a-blocking-in-dns" target=3D"_blank">http://hugo.salga.do/post/50030273426/= > quad-a-blocking-in-dns</a><br> > > ><br> > </span>> > I=3DE2=3D80=3D99ve never had success with F5 and DNS packe= > t handling properly g=3D<br> > <span class=3D"">> oing all<br> > > > the way back to Nov 1998 timeframe.=C2=A0 One of their engineers = > was<br> > > > troubleshooting it in our offices of my employer at the time and = > ended up<br> > </span>> > upset and saying =3DE2=3D80=3D9Cwhy doesn=3DE2=3D80=3D99t = > this work=3DE2=3D80=3D9D when it =3D<br> > <span class=3D"">> was broken vs being able<br> > > > to properly triage it.<br> > > ><br> > </span>> > I=3DE2=3D80=3D99m expecting someone from F5 to email me be= > cause at the time whe=3D<br> > > n I<br> > > > posted about the issue on NANOG they were aggressive in trying to= > defend =3D<br> > <span class=3D"">> a<br> > > > public view of their product and legitimate technical problems.<b= > r> > > ><br> > > > - Jared<br> > > > _______________________________________________<br> > > > dns-operations mailing list<br> > > > <a href=3D"mailto:[email protected]";>dns-operatio= > [email protected]</a><br> > > > <a href=3D"https://lists.dns-oarc.net/mailman/listinfo/dns-operat= > ions" target=3D"_blank">https://lists.dns-oarc.net/mailman/listinfo/dns-ope= > rations</a><br> > > > dns-jobs mailing list<br> > > > <a href=3D"https://lists.dns-oarc.net/mailman/listinfo/dns-jobs"; = > target=3D"_blank">https://lists.dns-oarc.net/mailman/listinfo/dns-jobs</a><= > br> > > ><br> > ><br> > </span>> --001a1134e054e208f305051714c1<br> > > Content-Type: text/html; charset=3DUTF-8<br> > > Content-Transfer-Encoding: quoted-printable<br> > ><br> > > <div dir=3D3D"ltr">F5 are asking me for time to debug.= > . while Google is sayin=3D<br> > > g &quot;All our appliances do this, nobody else is complaining...&= > amp;quot;.. J=3D<br> > > ust saying, I prefer the former response so far.<div><br>&= > lt;/div><div>Thanks,=3D<br> > > </div><div>Mohamed.</div></div><div class= > =3D3D"gmail_extra"><br><div class=3D3D=3D<br> > > "gmail_quote">On Fri, Oct 10, 2014 at 3:20 PM, Jared Mauc= > h <span dir=3D3D"ltr=3D<br> > > ">&lt;<a href=3D3D"mailto:<a href=3D"mailto:jared@= > puck.nether.net">[email protected]</a>" target=3D3D"_blank&qu= > ot;>jared@puck=3D<br> > > .<a href=3D"http://nether.net"; target=3D"_blank">nether.net</a></a&= > gt;&gt;</span> wrote:<br><blockquote class=3D3D"gma= > il_quote" styl=3D<br> > > e=3D3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:= > 1ex"><span c=3D<br> > > lass=3D3D""><br><br> > > &gt; On Oct 10, 2014, at 2:54 PM, Hugo Salgado &lt;<a href= > =3D3D"mailto:<a href=3D"mailto:hsalga";>hsalga</a>=3D<br> > > <a href=3D"mailto:[email protected]";>[email protected]</a>"><a > href=3D"mailto:= > [email protected]">[email protected]</a></a>&gt; wrote:<br><br> > > &gt;<br><br> > > &gt;<br><br> > > &gt; On 10/10/2014 03:24 PM, Roland Dobbins wrote:<br><br> > > &gt;&gt;<br><br> > > &gt;&gt; On Oct 11, 2014, at 1:07 AM, Mohamed Lrhazi &lt;&= > lt;a href=3D3D"mailto:=3D<br> > > <a href=3D"mailto:[email protected]";>Mohamed.Lrhazi@george= > town.edu</a>"><a href=3D"mailto:[email protected]";>Moha= > [email protected]</a></a>&gt; wrote:=3D<br> > > <br><br> > > &gt;&gt;<br><br> > > &gt;&gt;&gt; The appliance vendor, Google, tells me that e= > dns0 opt code 207=3D<br> > > 32 must be &quot;the service name&quot;, whatever that means..= > ..<br><br> > > &gt;&gt;<br><br> > > &gt;&gt; I don&#39;t know what that means in the context o= > f a non-SRV query=3D<br> > >=C2=A0 . . . can you turn off the F5&#39;s &#39;malformed DNS q= > uery&#39; scrubbin=3D<br> > > g and see what happens?<br><br> > > &gt;&gt;<br><br> > > &gt;<br><br> > > &gt; Well... F5 is known of misbehavior with its aggressive filter= > ing,<br><br> > > &gt; even with AAAA records some time ago:<br><br> > > &gt;=3DC2=3DA0 <a href=3D3D"<a href=3D"http://hugo.salga.d= > o/post/50030273426/quad-a-blocking=3D" target=3D"_blank">http://hugo.salga.= > do/post/50030273426/quad-a-blocking=3D</a><br> > > -in-dns" target=3D3D"_blank"><a href=3D"http://hugo.= > salga.do/post/50030273426/quad-a-blo=3D" target=3D"_blank">http://hugo.salg= > a.do/post/50030273426/quad-a-blo=3D</a><br> > > cking-in-dns</a><br><br> > > <br><br> > > </span>I=3DE2=3D80=3D99ve never had success with F5 and DNS pack= > et handling prope=3D<br> > > rly going all the way back to Nov 1998 timeframe.=3DC2=3DA0 One of the= > ir engine=3D<br> > > ers was troubleshooting it in our offices of my employer at the time a= > nd en=3D<br> > > ded up upset and saying =3DE2=3D80=3D9Cwhy doesn=3DE2=3D80=3D99t this = > work=3DE2=3D80=3D9D whe=3D<br> > > n it was broken vs being able to properly triage it.<br><br> > > <br><br> > > I=3DE2=3D80=3D99m expecting someone from F5 to email me because at the= > time when =3D<br> > > I posted about the issue on NANOG they were aggressive in trying to de= > fend =3D<br> > > a public view of their product and legitimate technical problems.<b= > r><br> > > <span class=3D3D"HOEnZb"><font color=3D3D"#888= > 888"><br><br> > > - Jared<br><br> > > </font></span><div class=3D3D"HOEnZb"><= > div class=3D3D"h5">_____________________=3D<br> > > __________________________<br><br> > > dns-operations mailing list<br><br> > > <a href=3D3D"mailto:<a href=3D"mailto:[email protected]= > -oarc.net">[email protected]</a>">dns-operations@li= > sts.d=3D<br> > > <a href=3D"http://ns-oarc.net"; target=3D"_blank">ns-oarc.net</a></a= > ><br><br> > > <a href=3D3D"<a href=3D"https://lists.dns-oarc.net/mailman/lis= > tinfo/dns-operations" target=3D"_blank">https://lists.dns-oarc.net/mailman/= > listinfo/dns-operations</a><br> > > dns-jobs" target=3D3D"_blank"><a href=3D"https://lis= > ts.dns-oarc.net/mailman/listinfo/dns=3D" target=3D"_blank">https://lists.dn= > s-oarc.net/mailman/listinfo/dns=3D</a><br> > > -operations<br><br> > > dns-jobs</a> mailing list<br><br> > > <a href=3D3D"<a href=3D"https://lists.dns-oarc.net/mailman/lis= > tinfo/dns-jobs" target=3D"_blank">https://lists.dns-oarc.net/mailman/listin= > fo/dns-jobs</a>" target=3D3D"=3D<br> > > _blank"><a href=3D"https://lists.dns-oarc.net/mailman/listinfo= > /dns-jobs" target=3D"_blank">https://lists.dns-oarc.net/mailman/listinfo/dn= > s-jobs</a></a></div></div=3D<br> > > ></blockquote></div><br></div><br> > ><br> > > --001a1134e054e208f305051714c1--<br> > ><br> > > --=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D6806851822810879355=3D= > =3D<br> > > Content-Type: text/plain; charset=3D"us-ascii"<br> > > MIME-Version: 1.0<br> > > Content-Transfer-Encoding: 7bit<br> > > Content-Disposition: inline<br> > <span class=3D"">><br> > > _______________________________________________<br> > > dns-operations mailing list<br> > > <a href=3D"mailto:[email protected]";>dns-operations@li= > sts.dns-oarc.net</a><br> > > <a href=3D"https://lists.dns-oarc.net/mailman/listinfo/dns-operations"= > target=3D"_blank">https://lists.dns-oarc.net/mailman/listinfo/dns-operatio= > ns</a><br> > > dns-jobs mailing list<br> > > <a href=3D"https://lists.dns-oarc.net/mailman/listinfo/dns-jobs"; targe= > t=3D"_blank">https://lists.dns-oarc.net/mailman/listinfo/dns-jobs</a><br> > </span>> --=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D6806851822810879= > 355=3D=3D--<br> > <span class=3D"HOEnZb"><font color=3D"#888888">--<br> > Mark Andrews, ISC<br> > 1 Seymour St., Dundas Valley, NSW 2117, Australia<br> > PHONE: <a href=3D"tel:%2B61%202%209871%204742" value=3D"+61298714742">+61 2= > 9871 4742</a>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= > =A0INTERNET: <a href=3D"mailto:[email protected]";>[email protected]</a><br> > </font></span></blockquote></div><br></div> > > --047d7b5dbcfad323fe05051ebd49-- -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
