[j-nsp] DNS Flag Day

Fri, 25 Jan 2019 03:12:15 -0800 

Hi,

When doing some investigation for the upcoming DNS Flag Day 
(https://dnsflagday.net: February 1st 2019) I got some bad news from one of the 
service providers: they use Juniper SRX firewalls, and claim that they can't 
properly support EDNS because of a bug in their SRX firewalls. This seems 
outrageous to me. Is this just because they haven't upgraded their JunOS for 
years, they're running ancient DNS server software, or is there really a 
problem?

I didn't get any more information from them, just "it's because of Juniper". An 
example test can be seen here: https://ednscomp.isc.org/ednscomp/704c5b6649:

> Checking: 'computel.nl' as at 2019-01-25T11:05:00Z
> 
> computel.nl. @83.137.17.10 (ns2.computel.nl.): dns=ok edns=ok edns1=timeout 
> edns@512=ok ednsopt=ok edns1opt=timeout do=ok ednsflags=ok docookie=ok 
> edns512tcp=ok optlist=timeout 
> computel.nl. @2001:4038:0:17::10 (ns2.computel.nl.): dns=ok edns=ok 
> edns1=timeout edns@512=ok ednsopt=ok edns1opt=timeout do=ok ednsflags=ok 
> docookie=ok edns512tcp=ok optlist=timeout 
> 
> computel.nl. @83.137.20.153 (ns3.computel-standby.eu.): dns=ok edns=ok 
> edns1=ok edns@512=ok ednsopt=ok edns1opt=ok do=ok ednsflags=ok docookie=ok 
> edns512tcp=ok optlist=ok,nsid (ns3.computel-standby.eu)
> computel.nl. @2001:4038:0:21::153 (ns3.computel-standby.eu.): dns=ok edns=ok 
> edns1=ok edns@512=ok ednsopt=ok edns1opt=ok do=ok ednsflags=ok docookie=ok 
> edns512tcp=ok optlist=ok,nsid (ns3.computel-standby.eu)
> 
> computel.nl. @83.137.20.10 (ns1.computel.nl.): dns=ok edns=ok edns1=timeout 
> edns@512=ok ednsopt=ok edns1opt=timeout do=ok ednsflags=ok docookie=ok 
> edns512tcp=ok optlist=timeout 
> computel.nl. @2001:4038:0:20::10 (ns1.computel.nl.): dns=ok edns=ok 
> edns1=timeout edns@512=ok ednsopt=ok edns1opt=timeout do=ok ednsflags=ok 
> docookie=ok edns512tcp=ok optlist=timeout 

I am wondering what's going on here, and whether there is really a bug in JunOS 
on SRX or whether it's just "easiest to blame the firewall"...

Cheers!
Sander

_______________________________________________
juniper-nsp mailing list [email protected]
https://puck.nether.net/mailman/listinfo/juniper-nsp

Reply via email to