In message <[email protected]>, Jared Mauch writes: > My personal favorite broken domain is New York State Thruway folks. > > https://ednscomp.isc.org/ednscomp/cb652bc112 > > If you ask for AAAA of www.thruway.ny.gov it is a CNAME to = > www.wip.thruway.ny.gov and that > breaks a number of DNS servers and load balancers, eg: > > $ host -t aaaa www.wip.thruway.ny.gov > ;; reply from unexpected source: 2001:558:100e:4:69:252:66:215#53, = > expected 2001:558:feed::1#53 > ;; reply from unexpected source: 2001:558:100e:4:69:252:66:215#53, = > expected 2001:558:feed::1#53 > > Waiting for the timeouts to occur or trying to get a robust response via = > TCP is problematic at best. > > DNS works really well despite much of the damage from firewall vendors = > and ill informed consultants. > > - Jared
Your tax payer dollars at work. It you are a resident of NY state go complain to your state representatives. Which bureaucrat signed off on the purchase of this piece of garbage. Load balancers need to answer all query types. % dig www.wip.thruway.ny.gov @lc1.thruway.ny.gov ; <<>> DiG 9.11.0rc1 <<>> www.wip.thruway.ny.gov @lc1.thruway.ny.gov ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59670 ;; flags: qr aa rd ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;www.wip.thruway.ny.gov. IN A ;; ANSWER SECTION: www.wip.thruway.ny.gov. 30 IN A 66.192.38.208 ;; Query time: 394 msec ;; SERVER: 161.11.122.60#53(161.11.122.60) ;; WHEN: Sat Aug 27 12:28:56 EST 2016 ;; MSG SIZE rcvd: 56 % dig www.wip.thruway.ny.gov @lc1.thruway.ny.gov aaaa ; <<>> DiG 9.11.0rc1 <<>> www.wip.thruway.ny.gov @lc1.thruway.ny.gov aaaa ;; global options: +cmd ;; connection timed out; no servers could be reached % > > > On Aug 26, 2016, at 7:54 PM, Josh Reynolds <[email protected]> = > wrote: > >=20 > > Excellent info, thank you Mark. > >=20 > > On Aug 26, 2016 6:53 PM, "Mark Andrews" <[email protected]> wrote: > >=20 > >>=20 > >> In message <CAC6=3DtfYnPX2pGCNNjaeV+yVENypMFqf02JmD58fgJExQfZku_Q@ > >> mail.gmail.com>, Josh Reynolds writes: > >>>=20 > >>> Just looking at the RFC... > >>> ----- > >>> VERSION Indicates the implementation level of the setter. Full > >> conformance > >>> with this specification is indicated by version '0'. Requestors are > >>> encouraged to set this to the lowest implemented level capable of > >>> expressing a transaction, to minimise the responder and network load = > of > >>> discovering the greatest common implementation level between = > requestor > >> and > >>> responder. A requestor's version numbering strategy MAY ideally be a > >>> run-time configuration option. If a responder does not implement the > >>> VERSION level of the request, then it MUST respond with = > RCODE=3DBADVERS. > >> All > >>> responses MUST be limited in format to the VERSION level of the = > request, > >>> but the VERSION of each response SHOULD be the highest = > implementation > >> level > >>> of the responder. In this way, a requestor will learn the = > implementation > >>> level of a responder as a side effect of every response, including = > error > >>> responses and including RCODE=3DBADVERS. > >>> ----- > >>> What am I missing, based on your output? > >>=20 > >> The servers do not RESPOND to EDNS version !=3D 0 queries. The = > following > >> sends a EDNS version 1 query and tells dig not to complete the EDNS = > version > >> negotiation so you can see the BADVERS response. > >>=20 > >> % dig lostoncampus.com.au. @205.251.195.156 +edns=3D1 +noednsneg soa > >>=20 > >> ; <<>> DiG 9.11.0rc1 <<>> lostoncampus.com.au. @205.251.195.156 = > +edns=3D1 > >> +noednsneg soa > >> ;; global options: +cmd > >> ;; connection timed out; no servers could be reached > >> % > >>=20 > >> A EDNS version 0 query to show reachability and that EDNS is = > supported. > >>=20 > >> % dig lostoncampus.com.au. @205.251.195.156 +edns=3D0 +noednsneg soa > >>=20 > >> ; <<>> DiG 9.11.0rc1 <<>> lostoncampus.com.au. @205.251.195.156 = > +edns=3D0 > >> +noednsneg soa > >> ;; global options: +cmd > >> ;; Got answer: > >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63224 > >> ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 1 > >> ;; WARNING: recursion requested but not available > >>=20 > >> ;; OPT PSEUDOSECTION: > >> ; EDNS: version: 0, flags:; udp: 4096 > >> ;; QUESTION SECTION: > >> ;lostoncampus.com.au. IN SOA > >>=20 > >> ;; ANSWER SECTION: > >> lostoncampus.com.au. 900 IN SOA = > ns-1222.awsdns-24.org. > >> awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400 > >>=20 > >> ;; AUTHORITY SECTION: > >> lostoncampus.com.au. 172800 IN NS = > ns-1222.awsdns-24.org. > >> lostoncampus.com.au. 172800 IN NS = > ns-1812.awsdns-34.co.uk. > >> lostoncampus.com.au. 172800 IN NS ns-78.awsdns-09.com. > >> lostoncampus.com.au. 172800 IN NS ns-924.awsdns-51.net. > >>=20 > >> ;; Query time: 126 msec > >> ;; SERVER: 205.251.195.156#53(205.251.195.156) > >> ;; WHEN: Sat Aug 27 09:40:29 EST 2016 > >> ;; MSG SIZE rcvd: 248 > >>=20 > >> % > >>=20 > >> What you should see is something like the following. Note the > >> version field is zero (0) and the rcode (status) field is BADVERS. > >> This response does show a protocol error: AD should not be set in > >> this response as there is no authenticated data. > >>=20 > >> % dig . @a.root-servers.net +edns=3D1 +noednsneg soa > >>=20 > >> ; <<>> DiG 9.11.0rc1 <<>> . @a.root-servers.net +edns=3D1 +noednsneg = > soa > >> ;; global options: +cmd > >> ;; Got answer: > >> ;; ->>HEADER<<- opcode: QUERY, status: BADVERS, id: 22570 > >> ;; flags: qr rd ad; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 > >> ;; WARNING: recursion requested but not available > >>=20 > >> ;; OPT PSEUDOSECTION: > >> ; EDNS: version: 0, flags:; udp: 1232 > >> ;; Query time: 438 msec > >> ;; SERVER: 2001:503:ba3e::2:30#53(2001:503:ba3e::2:30) > >> ;; WHEN: Sat Aug 27 09:34:32 EST 2016 > >> ;; MSG SIZE rcvd: 23 > >>=20 > >> % > >>=20 > >> Amazon are not alone here (about 20% of servers fail to respond to > >> EDNS version 1 queries) but they are big player so they should be > >> doing things correctly. See > >> https://ednscomp.isc.org/compliance/alexa-report.html for others > >> serving the Alexa top 1000 that get things wrong there are a lot > >> of you out there. There are also reports for the bottom 1000, .GOV, > >> .AU and the root zone at https://ednscomp.isc.org along with a > >> online compliance checker so others can test their servers. You > >> just need to name a zone and it will work out the rest or you can > >> target individual servers even those not listed in the NS RRset. > >>=20 > >> There is also a whole series of graphs showing failure trends for > >> different EDNS compliance tests at > >> https://ednscomp.isc.org/compliance/summary.html > >>=20 > >> Mark > >>=20 > >>> On Aug 23, 2016 6:43 PM, "Mark Andrews" <[email protected]> wrote: > >>>=20 > >>>>=20 > >>>> I'm curious. What are you trying to achieve by blocking EDNS = > version > >>>> negotiation? Is it really too hard to return BADVERS to a EDNS > >>>> query with version !=3D 0 along with the version of EDNS you = > support > >>>> in the version field? Are you deliberately trying to prevent the > >>>> IETF from deciding to bump the EDNS version in the future? Do you > >>>> have firewalls that have this behaviour hard coded? Do you even > >>>> test for RFC compliance? > >>>>=20 > >>>> Mark > >>>>=20 > >>>> lostoncampus.com.au. @205.251.195.156 (ns-924.awsdns-51.net.): = > dns=3Dok > >>>> edns=3Dok edns1=3Dtimeout edns@512=3Dok ednsopt=3Dok = > edns1opt=3Dtimeout do=3Dok > >>>> ednsflags=3Dok optlist=3Dok,nsid,subnet signed=3Dok ednstcp=3Dok > >>>> lostoncampus.com.au. @205.251.192.78 (ns-78.awsdns-09.com.): dns=3Dok= > > >>>> edns=3Dok edns1=3Dtimeout edns@512=3Dok ednsopt=3Dok = > edns1opt=3Dtimeout do=3Dok > >>>> ednsflags=3Dok optlist=3Dok,nsid,subnet signed=3Dok ednstcp=3Dok > >>>> lostoncampus.com.au. @205.251.196.198 (ns-1222.awsdns-24.org.): = > dns=3Dok > >>>> edns=3Dok edns1=3Dtimeout edns@512=3Dok ednsopt=3Dok = > edns1opt=3Dtimeout do=3Dok > >>>> ednsflags=3Dok optlist=3Dok,nsid,subnet signed=3Dok ednstcp=3Dok > >>>> lostoncampus.com.au. @205.251.199.20 (ns-1812.awsdns-34.co.uk.): > >> dns=3Dok > >>>> edns=3Dok edns1=3Dtimeout edns@512=3Dok ednsopt=3Dok = > edns1opt=3Dtimeout do=3Dok > >>>> ednsflags=3Dok optlist=3Dok,nsid,subnet signed=3Dok ednstcp=3Dok > >>>>=20 > >>>> -- > >>>> Mark Andrews, ISC > >>>> 1 Seymour St., Dundas Valley, NSW 2117, Australia > >>>> PHONE: +61 2 9871 4742 INTERNET: > >> [email protected] > >>>>=20 > >>>=20 > >> -- > >> Mark Andrews, ISC > >> 1 Seymour St., Dundas Valley, NSW 2117, Australia > >> PHONE: +61 2 9871 4742 INTERNET: [email protected] > >>=20 > -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected]
