[dns-operations] Non-EDNS FORMERR with qdcount==0?

Mon, 18 Nov 2019 01:16:26 -0800 

EDNS(0) queries to the (protocol-violating w.r.t. to unexpected QTYPES)
nameservers for mail.protection.outlook.com, which don't support EDNS(0),
elicit a response which fails to include a copy of the original question
(see below).  Is this valid?

My response validation logic checks not only the source IP and transction id,
but also looks for a matching question, and discards the response otherwise, so
I don't see the FORMERR, and retry without EDNS(0) when the server leaves out
the question.

MUST servers reflect the question (on error?) or can they leave it out?  Is
FORMERR special in this regard (not being an answer to a question), but an
error processing my query packet?

FWIW, "unbound-host" handles the "empty" FORMERR response, and retries the
query without EDNS.  Is unbound-host doing what's expected, or employing
a work-around for known breakage?

-- 
    Viktor.

Domain Name System (query)
    Transaction ID: 0x2acf
    Flags: 0x0020 Standard query
        0... .... .... .... = Response: Message is a query
        .000 0... .... .... = Opcode: Standard query (0)
        .... ..0. .... .... = Truncated: Message is not truncated
        .... ...0 .... .... = Recursion desired: Don't do query recursively
        .... .... .0.. .... = Z: reserved (0)
        .... .... ..1. .... = AD bit: Set
        .... .... ...0 .... = Non-authenticated data: Unacceptable
    Questions: 1
    Answer RRs: 0
    Authority RRs: 0
    Additional RRs: 1
    Queries
        _25._tcp.nist-gov.mail.protection.outlook.com: type TLSA, class IN
            Name: _25._tcp.nist-gov.mail.protection.outlook.com
            [Name Length: 45]
            [Label Count: 7]
            Type: TLSA (52)
            Class: IN (0x0001)
    Additional records
        <Root>: type OPT
            Name: <Root>
            Type: OPT (41)
            UDP payload size: 1232
            Higher bits in extended RCODE: 0x00
            EDNS0 version: 0
            Z: 0x0000
                0... .... .... .... = DO bit: Cannot handle DNSSEC security RRs
                .000 0000 0000 0000 = Reserved: 0x0000
            Data length: 0

Domain Name System (response)
    Transaction ID: 0x2acf
    Flags: 0x8001 Standard query response, Format error
        1... .... .... .... = Response: Message is a response
        .000 0... .... .... = Opcode: Standard query (0)
        .... .0.. .... .... = Authoritative: Server is not an authority for 
domain
        .... ..0. .... .... = Truncated: Message is not truncated
        .... ...0 .... .... = Recursion desired: Don't do query recursively
        .... .... 0... .... = Recursion available: Server can't do recursive 
queries
        .... .... .0.. .... = Z: reserved (0)
        .... .... ..0. .... = Answer authenticated: Answer/authority portion 
was not authenticated by the server
        .... .... ...0 .... = Non-authenticated data: Unacceptable
        .... .... .... 0001 = Reply code: Format error (1)
    Questions: 0
    Answer RRs: 0
    Authority RRs: 0
    Additional RRs: 0
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Reply via email to