FORMERR without a question section is valid. What happens when you can’t decode the question section? If the question section is there and it is a QUERY they the question should match.
> On 18 Nov 2019, at 20:06, Viktor Dukhovni <[email protected]> wrote: > > EDNS(0) queries to the (protocol-violating w.r.t. to unexpected QTYPES) > nameservers for mail.protection.outlook.com, which don't support EDNS(0), > elicit a response which fails to include a copy of the original question > (see below). Is this valid? > > My response validation logic checks not only the source IP and transction id, > but also looks for a matching question, and discards the response otherwise, > so > I don't see the FORMERR, and retry without EDNS(0) when the server leaves out > the question. > > MUST servers reflect the question (on error?) or can they leave it out? Is > FORMERR special in this regard (not being an answer to a question), but an > error processing my query packet? > > FWIW, "unbound-host" handles the "empty" FORMERR response, and retries the > query without EDNS. Is unbound-host doing what's expected, or employing > a work-around for known breakage? > > -- > Viktor. > > Domain Name System (query) > Transaction ID: 0x2acf > Flags: 0x0020 Standard query > 0... .... .... .... = Response: Message is a query > .000 0... .... .... = Opcode: Standard query (0) > .... ..0. .... .... = Truncated: Message is not truncated > .... ...0 .... .... = Recursion desired: Don't do query recursively > .... .... .0.. .... = Z: reserved (0) > .... .... ..1. .... = AD bit: Set > .... .... ...0 .... = Non-authenticated data: Unacceptable > Questions: 1 > Answer RRs: 0 > Authority RRs: 0 > Additional RRs: 1 > Queries > _25._tcp.nist-gov.mail.protection.outlook.com: type TLSA, class IN > Name: _25._tcp.nist-gov.mail.protection.outlook.com > [Name Length: 45] > [Label Count: 7] > Type: TLSA (52) > Class: IN (0x0001) > Additional records > <Root>: type OPT > Name: <Root> > Type: OPT (41) > UDP payload size: 1232 > Higher bits in extended RCODE: 0x00 > EDNS0 version: 0 > Z: 0x0000 > 0... .... .... .... = DO bit: Cannot handle DNSSEC security RRs > .000 0000 0000 0000 = Reserved: 0x0000 > Data length: 0 > > Domain Name System (response) > Transaction ID: 0x2acf > Flags: 0x8001 Standard query response, Format error > 1... .... .... .... = Response: Message is a response > .000 0... .... .... = Opcode: Standard query (0) > .... .0.. .... .... = Authoritative: Server is not an authority for > domain > .... ..0. .... .... = Truncated: Message is not truncated > .... ...0 .... .... = Recursion desired: Don't do query recursively > .... .... 0... .... = Recursion available: Server can't do recursive > queries > .... .... .0.. .... = Z: reserved (0) > .... .... ..0. .... = Answer authenticated: Answer/authority portion > was not authenticated by the server > .... .... ...0 .... = Non-authenticated data: Unacceptable > .... .... .... 0001 = Reply code: Format error (1) > Questions: 0 > Answer RRs: 0 > Authority RRs: 0 > Additional RRs: 0 > _______________________________________________ > dns-operations mailing list > [email protected] > https://lists.dns-oarc.net/mailman/listinfo/dns-operations -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
