RE: Enforce EDNS
+1 to Alan. While I work at an ivory tower and support Mark's mission, in practice I don't have operational time (nor is it necessarily the best use of my time) to maintain a per-ip bypass. 100% in support of enabling this by default as long as their as an option to disable. -Michael > -Original Message- > From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Mark > Andrews > Sent: Tuesday, February 07, 2017 4:32 PM > To: Reindl Harald > Cc: bind-us...@isc.org > Subject: Re: Enforce EDNS > > > In message <4b0243b1-1c89-023b-f3f3-7279216d5...@thelounge.net>, Reindl > Harald > writes: > > > > > > Am 07.02.2017 um 22:11 schrieb Mark Andrews: > > > In message <3836f038-c480-9970-fd53-a5c87ad36...@thelounge.net>, > Reindl Har > > ald wr > > > ites: > > >>> Break them. That's the only way it will eventually get fixed > > >> > > >> if things would be that easy > > >> > > >> the admins of the broken servers ar the very last which are affected, > > >> admins with a recent named have to bite the bullet of user terror and > > >> users typically don#t give a damn when it worked yesterday > > >> > > >> the admins of the broken server don't give a damn about as long they can > > >> point their fingers and say "look, the rest of the world has no lookup > > >> errors" > > >> > > >> if it would be that easy the problem of spam would not exist for many > > >> years while in reality you waste most of our time to write exceptions > > >> here and there, disable rules or score them lower because you are not in > > >> the position to educate every admin of sending servers out there > > > > > > You go over the admins head. You go to the board of directors. > > > You go the the minister responsible (yes, I have had to do that > > > along with a copy to the shadow minister and the company that the > > > DNS was outsourced to for government domains). Good old snail mail > > > > if *you* do that from your position it may work but still takes time in > > a world where it somestimes takes days and weeks to find somebody who > > can instruct a admin to change a simple CNAME record from machine A to > > machine B even with the directors OK and CC'ed in the message > > And you can fix the issue by hand while this is going on. > > server 74.113.204.34 { send-cookie false; }; > server 74.113.206.34 { send-cookie false; }; > server 117.56.91.203 { send-cookie false; }; > server 117.56.91.204 { send-cookie false; }; > server 117.56.91.234 { send-cookie false; }; > server 199.252/16 { send-cookie false; }; > > (or request-sit no; for 9.10.x) > > There aren't lots of servers that drop EDNS or drop EDNS + DNS COOKIE. > > The big numbers are those that drop EDNS(1) which no one is using at > this stage. See http://ednscomp.isc.org/ > > > i doubt it works the same way for a ordinary admin in a small company > > where you to make it work because *you* broke it with the named update > > and so your advise will be "roll back that stuff to the state of > > yesterday where it worked and no you have not the free time to call each > > and every company and educate them" > > > > problem here is that as long it's not a critical mass anybody who > > deployed the update breaking things have to bleed for it and so you have > > to find enough people with the power to go over admins head *before* the > > breaking updates > > > > and no, when in your company people can't work because DNS is broken you > > don't call foreign admins and directors - you have to fix that *now* and > > after you have fixed it you have no longer arumgents why call somebody > > with no direct relations > > ___ > > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > > unsubscribe > > from this list > > > > bind-users mailing list > > bind-users@lists.isc.org > > https://lists.isc.org/mailman/listinfo/bind-users > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from > this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Enforce EDNS
In message <4b0243b1-1c89-023b-f3f3-7279216d5...@thelounge.net>, Reindl Harald writes: > > > Am 07.02.2017 um 22:11 schrieb Mark Andrews: > > In message <3836f038-c480-9970-fd53-a5c87ad36...@thelounge.net>, Reindl Har > ald wr > > ites: > >>> Break them. That's the only way it will eventually get fixed > >> > >> if things would be that easy > >> > >> the admins of the broken servers ar the very last which are affected, > >> admins with a recent named have to bite the bullet of user terror and > >> users typically don#t give a damn when it worked yesterday > >> > >> the admins of the broken server don't give a damn about as long they can > >> point their fingers and say "look, the rest of the world has no lookup > >> errors" > >> > >> if it would be that easy the problem of spam would not exist for many > >> years while in reality you waste most of our time to write exceptions > >> here and there, disable rules or score them lower because you are not in > >> the position to educate every admin of sending servers out there > > > > You go over the admins head. You go to the board of directors. > > You go the the minister responsible (yes, I have had to do that > > along with a copy to the shadow minister and the company that the > > DNS was outsourced to for government domains). Good old snail mail > > if *you* do that from your position it may work but still takes time in > a world where it somestimes takes days and weeks to find somebody who > can instruct a admin to change a simple CNAME record from machine A to > machine B even with the directors OK and CC'ed in the message And you can fix the issue by hand while this is going on. server 74.113.204.34 { send-cookie false; }; server 74.113.206.34 { send-cookie false; }; server 117.56.91.203 { send-cookie false; }; server 117.56.91.204 { send-cookie false; }; server 117.56.91.234 { send-cookie false; }; server 199.252/16 { send-cookie false; }; (or request-sit no; for 9.10.x) There aren't lots of servers that drop EDNS or drop EDNS + DNS COOKIE. The big numbers are those that drop EDNS(1) which no one is using at this stage. See http://ednscomp.isc.org/ > i doubt it works the same way for a ordinary admin in a small company > where you to make it work because *you* broke it with the named update > and so your advise will be "roll back that stuff to the state of > yesterday where it worked and no you have not the free time to call each > and every company and educate them" > > problem here is that as long it's not a critical mass anybody who > deployed the update breaking things have to bleed for it and so you have > to find enough people with the power to go over admins head *before* the > breaking updates > > and no, when in your company people can't work because DNS is broken you > don't call foreign admins and directors - you have to fix that *now* and > after you have fixed it you have no longer arumgents why call somebody > with no direct relations > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Enforce EDNS
On 2/7/17 3:11 PM, Mark Andrews wrote: >>> Break them. That's the only way it will eventually get fixed >> >> if things would be that easy >> >> the admins of the broken servers ar the very last which are affected, >> admins with a recent named have to bite the bullet of user terror and >> users typically don#t give a damn when it worked yesterday >> >> the admins of the broken server don't give a damn about as long they can >> point their fingers and say "look, the rest of the world has no lookup >> errors" >> >> if it would be that easy the problem of spam would not exist for many >> years while in reality you waste most of our time to write exceptions >> here and there, disable rules or score them lower because you are not in >> the position to educate every admin of sending servers out there > > You go over the admins head. You go to the board of directors. > You go the the minister responsible (yes, I have had to do that > along with a copy to the shadow minister and the company that the > DNS was outsourced to for government domains). Good old snail mail. I wish I lived and worked in an ivory tower. Reindl is right. If you are in (some) academia, or running this server at your house, you can get away with "he didn't follow the rules, so I'm not talking to him". You just plain can't get away with that in the commercial world. Remember those Korean IPTV servers that were authoritative but didn't respond with the AA bit? The thing that kicked back and caused a very speedy reversal in the enforcement of that rule is called business pressure. Yes, we know the rules, yes, we'd love if the rules were strictly enforced (assuming we don't take the hit when someone else screws up), but the business world doesn't allow us to enforce the rules, we have to work as best we can in the world that we are provided. The idea that "BIND leads the way, allowing no rule breaking, business needs be damned" will only lead to either a fork of "friendlierBIND", vendors that include BIND under the covers turning off the strict enforcement by forking their own BIND versions (do you think this isn't being done already?), or migration off of BIND completely (do you think that this isn't being considered already?). Maybe a "strict-compliance yes;" option? Those that are willing to take the hit set it to yes, everyone that needs to ensure business continuity set it to no? (and for gods sake, make it default to no) As with the "let's randomly add a string into the middle of the log message for everyone", this "let's just break it because the RFCs say so" isn't going to go over well with lots of people. signature.asc Description: OpenPGP digital signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Enforce EDNS
Am 07.02.2017 um 22:11 schrieb Mark Andrews: In message <3836f038-c480-9970-fd53-a5c87ad36...@thelounge.net>, Reindl Harald wr ites: Break them. That's the only way it will eventually get fixed if things would be that easy the admins of the broken servers ar the very last which are affected, admins with a recent named have to bite the bullet of user terror and users typically don#t give a damn when it worked yesterday the admins of the broken server don't give a damn about as long they can point their fingers and say "look, the rest of the world has no lookup errors" if it would be that easy the problem of spam would not exist for many years while in reality you waste most of our time to write exceptions here and there, disable rules or score them lower because you are not in the position to educate every admin of sending servers out there You go over the admins head. You go to the board of directors. You go the the minister responsible (yes, I have had to do that along with a copy to the shadow minister and the company that the DNS was outsourced to for government domains). Good old snail mail if *you* do that from your position it may work but still takes time in a world where it somestimes takes days and weeks to find somebody who can instruct a admin to change a simple CNAME record from machine A to machine B even with the directors OK and CC'ed in the message i doubt it works the same way for a ordinary admin in a small company where you to make it work because *you* broke it with the named update and so your advise will be "roll back that stuff to the state of yesterday where it worked and no you have not the free time to call each and every company and educate them" problem here is that as long it's not a critical mass anybody who deployed the update breaking things have to bleed for it and so you have to find enough people with the power to go over admins head *before* the breaking updates and no, when in your company people can't work because DNS is broken you don't call foreign admins and directors - you have to fix that *now* and after you have fixed it you have no longer arumgents why call somebody with no direct relations ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Enforce EDNS
In message <3836f038-c480-9970-fd53-a5c87ad36...@thelounge.net>, Reindl Harald wr ites: > > > Am 07.02.2017 um 18:13 schrieb Chuck Anderson: > > On Tue, Feb 07, 2017 at 11:59:39AM +1100, Mark Andrews wrote: > >> I really don't want to add new automatic work arounds for broken > >> servers but it requires people being willing to accepting that > >> lookups will fail. That manual work arounds will now have to > >> be done. e.g. "server ... { send-cookie no; };" > >> > >> Servers not answering would EDNS or EDNS + DNS COOKIE would require > >> operator intervention. > > > > Break them. That's the only way it will eventually get fixed > > if things would be that easy > > the admins of the broken servers ar the very last which are affected, > admins with a recent named have to bite the bullet of user terror and > users typically don#t give a damn when it worked yesterday > > the admins of the broken server don't give a damn about as long they can > point their fingers and say "look, the rest of the world has no lookup > errors" > > if it would be that easy the problem of spam would not exist for many > years while in reality you waste most of our time to write exceptions > here and there, disable rules or score them lower because you are not in > the position to educate every admin of sending servers out there You go over the admins head. You go to the board of directors. You go the the minister responsible (yes, I have had to do that along with a copy to the shadow minister and the company that the DNS was outsourced to for government domains). Good old snail mail. Mark > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > f > rom this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Enforce EDNS
From: Matthew Pounsett > I fully support breaking resolution for such servers. I'd rather > have a hard failure on my end that I can investigate, and work > around if necessary, than have my server wasting cycles trying to > guess what sort of broken state there is on the far end. It would > also give me the heads up I need to contact the admin on the far end > and report their servers' broken behaviour. And the remote admin would say "Well, it must be your problem because no one else is complaining." I get the same line of BS when I refuse to honor a whitelisted domain in my spam filter if they fail SPF checks. Not many filters do that, but I think it is a great idea. People dread hearing from the IRS, but they can't afford to block the emails. Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Enforce EDNS
Am 07.02.2017 um 18:13 schrieb Chuck Anderson: On Tue, Feb 07, 2017 at 11:59:39AM +1100, Mark Andrews wrote: I really don't want to add new automatic work arounds for broken servers but it requires people being willing to accepting that lookups will fail. That manual work arounds will now have to be done. e.g. "server ... { send-cookie no; };" Servers not answering would EDNS or EDNS + DNS COOKIE would require operator intervention. Break them. That's the only way it will eventually get fixed if things would be that easy the admins of the broken servers ar the very last which are affected, admins with a recent named have to bite the bullet of user terror and users typically don#t give a damn when it worked yesterday the admins of the broken server don't give a damn about as long they can point their fingers and say "look, the rest of the world has no lookup errors" if it would be that easy the problem of spam would not exist for many years while in reality you waste most of our time to write exceptions here and there, disable rules or score them lower because you are not in the position to educate every admin of sending servers out there ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Enforce EDNS
On 6 February 2017 at 19:59, Mark Andrews wrote: > > Unfortunately we then need to decide what to do with servers that > don't answer EDNS + DNS COOKIE queries. Currently we fall back to > plain DNS which works except when there is a signed zone involved > and the server is validating. > > I really don't want to add new automatic work arounds for broken > servers but it requires people being willing to accepting that > lookups will fail. That manual work arounds will now have to > be done. e.g. "server ... { send-cookie no; };" I fully support breaking resolution for such servers. I'd rather have a hard failure on my end that I can investigate, and work around if necessary, than have my server wasting cycles trying to guess what sort of broken state there is on the far end. It would also give me the heads up I need to contact the admin on the far end and report their servers' broken behaviour. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Enforce EDNS
On Tue, Feb 07, 2017 at 11:59:39AM +1100, Mark Andrews wrote: > I really don't want to add new automatic work arounds for broken > servers but it requires people being willing to accepting that > lookups will fail. That manual work arounds will now have to > be done. e.g. "server ... { send-cookie no; };" > > Servers not answering would EDNS or EDNS + DNS COOKIE would require > operator intervention. Break them. That's the only way it will eventually get fixed. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Enforce EDNS
In message , Daniel Stirnimann writes: Hello all, Our resolver failed to contact an upstream name server as a result of network connectivity issues. named retries eventually worked but as it reverted back to not using EDNS and the answer should have been signed, the query response failed to validate. Subsequent queries towards this upstream name server were not utilizing EDNS as well because named remembers a name servers capabilities for some time (See also https://deepthought.isc.org/article/AA-00510/0) My question is, can I enforce EDNS usage for a name server? I was thinking of the 'edns' clause in the server settings [1]. However, this is already enabled by default and only applies to an "attempt". On 07.02.17 11:59, Mark Andrews wrote: I've also been thinking about no longer falling back to plain DNS on no answer. False positives on not supporting EDNS impact on DNSSEC resolution. Most firewalls now pass EDNS and most of the old Microsoft servers that don't answer a second EDNS request are gone. Any remaining servers would then need to be handled via server ... { edns no; }; Unfortunately we then need to decide what to do with servers that don't answer EDNS + DNS COOKIE queries. Currently we fall back to plain DNS which works except when there is a signed zone involved and the server is validating. fall back for how long? maybe for the same random time as RTT measurements are done - remember for a while, but retry with edns on after. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Boost your system's speed by 500% - DEL C:\WINDOWS\*.* ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Enforce EDNS
Hi there, On Tue, 7 Feb 2017, Mark Andrews wrote: I really don't want to add new automatic work arounds for broken servers but it requires people being willing to accepting that lookups will fail. That manual work arounds will now have to be done. e.g. "server ... { send-cookie no; };" +2 -- 73, Ged. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Enforce EDNS
> Named doesn't have a switch to force EDNS though I suppose we could > add one to 9.12. e.g. server ... { edns force; }; I would find this useful. > I really don't want to add new automatic work arounds for broken > servers but it requires people being willing to accepting that > lookups will fail. That manual work arounds will now have to > be done. e.g. "server ... { send-cookie no; };" I can only speak for the DNS resolvers I'm operating but I would be willing to accept that. At some point in time, those broken name servers need to be fixed. If more users start sending complaints to the name server operator that might help. Daniel ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Enforce EDNS
In message , Daniel Stirnimann writes: > Hello all, > > Our resolver failed to contact an upstream name server as a result of > network connectivity issues. named retries eventually worked but as it > reverted back to not using EDNS and the answer should have been signed, > the query response failed to validate. Subsequent queries towards this > upstream name server were not utilizing EDNS as well because named > remembers a name servers capabilities for some time (See also > https://deepthought.isc.org/article/AA-00510/0) > > My question is, can I enforce EDNS usage for a name server? I was > thinking of the 'edns' clause in the server settings [1]. However, this > is already enabled by default and only applies to an "attempt". Named doesn't have a switch to force EDNS though I suppose we could add one to 9.12. e.g. server ... { edns force; }; I've also been thinking about no longer falling back to plain DNS on no answer. False positives on not supporting EDNS impact on DNSSEC resolution. Most firewalls now pass EDNS and most of the old Microsoft servers that don't answer a second EDNS request are gone. Any remaining servers would then need to be handled via server ... { edns no; }; Unfortunately we then need to decide what to do with servers that don't answer EDNS + DNS COOKIE queries. Currently we fall back to plain DNS which works except when there is a signed zone involved and the server is validating. I really don't want to add new automatic work arounds for broken servers but it requires people being willing to accepting that lookups will fail. That manual work arounds will now have to be done. e.g. "server ... { send-cookie no; };" Servers not answering would EDNS or EDNS + DNS COOKIE would require operator intervention. Mark > Daniel > > [1] > https://ftp.isc.org/isc/bind9/cur/9.11/doc/arm/Bv9ARM.ch06.html#server_statement_grammar > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users