RE: Enforce EDNS

[Michael Hare]

+1 to Alan.  While I work at an ivory tower and support Mark's mission, in 
practice I don't have operational time (nor is it necessarily the best use of 
my time) to maintain a per-ip bypass.

100% in support of enabling this by default as long as their as an option to 
disable.

-Michael

> -Original Message-
> From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Mark
> Andrews
> Sent: Tuesday, February 07, 2017 4:32 PM
> To: Reindl Harald <h.rei...@thelounge.net>
> Cc: bind-us...@isc.org
> Subject: Re: Enforce EDNS
> 
> 
> In message <4b0243b1-1c89-023b-f3f3-7279216d5...@thelounge.net>, Reindl
> Harald
> writes:
> >
> >
> > Am 07.02.2017 um 22:11 schrieb Mark Andrews:
> > > In message <3836f038-c480-9970-fd53-a5c87ad36...@thelounge.net>,
> Reindl Har
> > ald wr
> > > ites:
> > >>> Break them.  That's the only way it will eventually get fixed
> > >>
> > >> if things would be that easy
> > >>
> > >> the admins of the broken servers ar the very last which are affected,
> > >> admins with a recent named have to bite the bullet of user terror and
> > >> users typically don#t give a damn when it worked yesterday
> > >>
> > >> the admins of the broken server don't give a damn about as long they can
> > >> point their fingers and say "look, the rest of the world has no lookup
> > >> errors"
> > >>
> > >> if it would be that easy the problem of spam would not exist for many
> > >> years while in reality you waste most of our time to write exceptions
> > >> here and there, disable rules or score them lower because you are not in
> > >> the position to educate every admin of sending servers out there
> > >
> > > You go over the admins head.  You go to the board of directors.
> > > You go the the minister responsible (yes, I have had to do that
> > > along with a copy to the shadow minister and the company that the
> > > DNS was outsourced to for government domains).  Good old snail mail
> >
> > if *you* do that from your position it may work but still takes time in
> > a world where it somestimes takes days and weeks to find somebody who
> > can instruct a admin to change a simple CNAME record from machine A to
> > machine B even with the directors OK and CC'ed in the message
> 
> And you can fix the issue by hand while this is going on.
> 
>   server 74.113.204.34 { send-cookie false; };
>   server 74.113.206.34 { send-cookie false; };
>   server 117.56.91.203 { send-cookie false; };
>   server 117.56.91.204 { send-cookie false; };
>   server 117.56.91.234 { send-cookie false; };
>   server 199.252/16 { send-cookie false; };
> 
>   (or request-sit no; for 9.10.x)
> 
> There aren't lots of servers that drop EDNS or drop EDNS + DNS COOKIE.
> 
> The big numbers are those that drop EDNS(1) which no one is using at
> this stage.  See http://ednscomp.isc.org/
> 
> > i doubt it works the same way for a ordinary admin in a small company
> > where you to make it work because *you* broke it with the named update
> > and so your advise will be "roll back that stuff to the state of
> > yesterday where it worked and no you have not the free time to call each
> > and every company and educate them"
> >
> > problem here is that as long it's not a critical mass anybody who
> > deployed the update breaking things have to bleed for it and so you have
> > to find enough people with the power to go over admins head *before* the
> > breaking updates
> >
> > and no, when in your company people can't work because DNS is broken you
> > don't call foreign admins and directors - you have to fix that *now* and
> > after you have fixed it you have no longer arumgents why call somebody
> > with no direct relations
> > ___
> > Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
> > unsubscribe
> >  from this list
> >
> > bind-users mailing list
> > bind-users@lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from
> this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Enforce EDNS

[Mark Andrews]

In message <4b0243b1-1c89-023b-f3f3-7279216d5...@thelounge.net>, Reindl Harald 
writes:
> 
> 
> Am 07.02.2017 um 22:11 schrieb Mark Andrews:
> > In message <3836f038-c480-9970-fd53-a5c87ad36...@thelounge.net>, Reindl Har
> ald wr
> > ites:
> >>> Break them.  That's the only way it will eventually get fixed
> >>
> >> if things would be that easy
> >>
> >> the admins of the broken servers ar the very last which are affected,
> >> admins with a recent named have to bite the bullet of user terror and
> >> users typically don#t give a damn when it worked yesterday
> >>
> >> the admins of the broken server don't give a damn about as long they can
> >> point their fingers and say "look, the rest of the world has no lookup
> >> errors"
> >>
> >> if it would be that easy the problem of spam would not exist for many
> >> years while in reality you waste most of our time to write exceptions
> >> here and there, disable rules or score them lower because you are not in
> >> the position to educate every admin of sending servers out there
> >
> > You go over the admins head.  You go to the board of directors.
> > You go the the minister responsible (yes, I have had to do that
> > along with a copy to the shadow minister and the company that the
> > DNS was outsourced to for government domains).  Good old snail mail
> 
> if *you* do that from your position it may work but still takes time in 
> a world where it somestimes takes days and weeks to find somebody who 
> can instruct a admin to change a simple CNAME record from machine A to 
> machine B even with the directors OK and CC'ed in the message

And you can fix the issue by hand while this is going on.

server 74.113.204.34 { send-cookie false; };
server 74.113.206.34 { send-cookie false; };
server 117.56.91.203 { send-cookie false; };
server 117.56.91.204 { send-cookie false; };
server 117.56.91.234 { send-cookie false; };
server 199.252/16 { send-cookie false; };

(or request-sit no; for 9.10.x)

There aren't lots of servers that drop EDNS or drop EDNS + DNS COOKIE.

The big numbers are those that drop EDNS(1) which no one is using at
this stage.  See http://ednscomp.isc.org/

> i doubt it works the same way for a ordinary admin in a small company 
> where you to make it work because *you* broke it with the named update 
> and so your advise will be "roll back that stuff to the state of 
> yesterday where it worked and no you have not the free time to call each 
> and every company and educate them"
>
> problem here is that as long it's not a critical mass anybody who 
> deployed the update breaking things have to bleed for it and so you have 
> to find enough people with the power to go over admins head *before* the 
> breaking updates
> 
> and no, when in your company people can't work because DNS is broken you 
> don't call foreign admins and directors - you have to fix that *now* and 
> after you have fixed it you have no longer arumgents why call somebody 
> with no direct relations
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>  from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Enforce EDNS

[Alan Clegg]

On 2/7/17 3:11 PM, Mark Andrews wrote:

>>> Break them.  That's the only way it will eventually get fixed
>>
>> if things would be that easy
>>
>> the admins of the broken servers ar the very last which are affected, 
>> admins with a recent named have to bite the bullet of user terror and 
>> users typically don#t give a damn when it worked yesterday
>>
>> the admins of the broken server don't give a damn about as long they can 
>> point their fingers and say "look, the rest of the world has no lookup 
>> errors"
>>
>> if it would be that easy the problem of spam would not exist for many 
>> years while in reality you waste most of our time to write exceptions 
>> here and there, disable rules or score them lower because you are not in 
>> the position to educate every admin of sending servers out there
> 
> You go over the admins head.  You go to the board of directors.
> You go the the minister responsible (yes, I have had to do that
> along with a copy to the shadow minister and the company that the
> DNS was outsourced to for government domains).  Good old snail mail.

I wish I lived and worked in an ivory tower.

Reindl is right.

If you are in (some) academia, or running this server at your house, you
can get away with "he didn't follow the rules, so I'm not talking to
him".  You just plain can't get away with that in the commercial world.

Remember those Korean IPTV servers that were authoritative but didn't
respond with the AA bit?  The thing that kicked back and caused a very
speedy reversal in the enforcement of that rule is called business pressure.

Yes, we know the rules, yes, we'd love if the rules were strictly
enforced (assuming we don't take the hit when someone else screws up),
but the business world doesn't allow us to enforce the rules, we have to
work as best we can in the world that we are provided.

The idea that "BIND leads the way, allowing no rule breaking, business
needs be damned" will only lead to either a fork of "friendlierBIND",
vendors that include BIND under the covers turning off the strict
enforcement by forking their own BIND versions (do you think this isn't
being done already?), or migration off of BIND completely (do you think
that this isn't being considered already?).

Maybe a "strict-compliance yes;" option?  Those that are willing to take
the hit set it to yes, everyone that needs to ensure business continuity
set it to no?  (and for gods sake, make it default to no)

As with the "let's randomly add a string into the middle of the log
message for everyone", this "let's just break it because the RFCs say
so" isn't going to go over well with lots of people.





signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Enforce EDNS

[Reindl Harald]

Am 07.02.2017 um 22:11 schrieb Mark Andrews:

In message <3836f038-c480-9970-fd53-a5c87ad36...@thelounge.net>, Reindl Harald 
wr
ites:

Break them.  That's the only way it will eventually get fixed


if things would be that easy

the admins of the broken servers ar the very last which are affected,
admins with a recent named have to bite the bullet of user terror and
users typically don#t give a damn when it worked yesterday

the admins of the broken server don't give a damn about as long they can
point their fingers and say "look, the rest of the world has no lookup
errors"

if it would be that easy the problem of spam would not exist for many
years while in reality you waste most of our time to write exceptions
here and there, disable rules or score them lower because you are not in
the position to educate every admin of sending servers out there


You go over the admins head.  You go to the board of directors.
You go the the minister responsible (yes, I have had to do that
along with a copy to the shadow minister and the company that the
DNS was outsourced to for government domains).  Good old snail mail


if *you* do that from your position it may work but still takes time in 
a world where it somestimes takes days and weeks to find somebody who 
can instruct a admin to change a simple CNAME record from machine A to 
machine B even with the directors OK and CC'ed in the message


i doubt it works the same way for a ordinary admin in a small company 
where you to make it work because *you* broke it with the named update 
and so your advise will be "roll back that stuff to the state of 
yesterday where it worked and no you have not the free time to call each 
and every company and educate them"


problem here is that as long it's not a critical mass anybody who 
deployed the update breaking things have to bleed for it and so you have 
to find enough people with the power to go over admins head *before* the 
breaking updates


and no, when in your company people can't work because DNS is broken you 
don't call foreign admins and directors - you have to fix that *now* and 
after you have fixed it you have no longer arumgents why call somebody 
with no direct relations

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Enforce EDNS

[Mark Andrews]

In message <3836f038-c480-9970-fd53-a5c87ad36...@thelounge.net>, Reindl Harald 
wr
ites:
> 
> 
> Am 07.02.2017 um 18:13 schrieb Chuck Anderson:
> > On Tue, Feb 07, 2017 at 11:59:39AM +1100, Mark Andrews wrote:
> >> I really don't want to add new automatic work arounds for broken
> >> servers but it requires people being willing to accepting that
> >> lookups will fail.  That manual work arounds will now have to
> >> be done. e.g. "server ... { send-cookie no; };"
> >>
> >> Servers not answering would EDNS or EDNS + DNS COOKIE would require
> >> operator intervention.
> >
> > Break them.  That's the only way it will eventually get fixed
> 
> if things would be that easy
> 
> the admins of the broken servers ar the very last which are affected, 
> admins with a recent named have to bite the bullet of user terror and 
> users typically don#t give a damn when it worked yesterday
> 
> the admins of the broken server don't give a damn about as long they can 
> point their fingers and say "look, the rest of the world has no lookup 
> errors"
> 
> if it would be that easy the problem of spam would not exist for many 
> years while in reality you waste most of our time to write exceptions 
> here and there, disable rules or score them lower because you are not in 
> the position to educate every admin of sending servers out there

You go over the admins head.  You go to the board of directors.
You go the the minister responsible (yes, I have had to do that
along with a copy to the shadow minister and the company that the
DNS was outsourced to for government domains).  Good old snail mail.

Mark

> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> f
> rom this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Enforce EDNS

[wbrown]

From: Matthew Pounsett 

> I fully support breaking resolution for such servers.  I'd rather 
> have a hard failure on my end that I can investigate, and work 
> around if necessary, than have my server wasting cycles trying to 
> guess what sort of broken state there is on the far end.   It would 
> also give me the heads up I need to contact the admin on the far end
> and report their servers' broken behaviour. 

And the remote admin would say "Well, it must be your problem because no 
one else is complaining."

I get the same line of BS when I refuse to honor a whitelisted domain in 
my spam filter if they fail SPF checks.  Not many filters do that, but I 
think it is a great idea.  People dread hearing from the IRS, but they 
can't afford to block the emails.


Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Enforce EDNS

[Reindl Harald]

Am 07.02.2017 um 18:13 schrieb Chuck Anderson:

On Tue, Feb 07, 2017 at 11:59:39AM +1100, Mark Andrews wrote:

I really don't want to add new automatic work arounds for broken
servers but it requires people being willing to accepting that
lookups will fail.  That manual work arounds will now have to
be done. e.g. "server ... { send-cookie no; };"

Servers not answering would EDNS or EDNS + DNS COOKIE would require
operator intervention.


Break them.  That's the only way it will eventually get fixed


if things would be that easy

the admins of the broken servers ar the very last which are affected, 
admins with a recent named have to bite the bullet of user terror and 
users typically don#t give a damn when it worked yesterday


the admins of the broken server don't give a damn about as long they can 
point their fingers and say "look, the rest of the world has no lookup 
errors"


if it would be that easy the problem of spam would not exist for many 
years while in reality you waste most of our time to write exceptions 
here and there, disable rules or score them lower because you are not in 
the position to educate every admin of sending servers out there

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Enforce EDNS

[Matthew Pounsett]

On 6 February 2017 at 19:59, Mark Andrews  wrote:

>
> Unfortunately we then need to decide what to do with servers that
> don't answer EDNS + DNS COOKIE queries.  Currently we fall back to
> plain DNS which works except when there is a signed zone involved
> and the server is validating.
>
> I really don't want to add new automatic work arounds for broken
> servers but it requires people being willing to accepting that
> lookups will fail.  That manual work arounds will now have to
> be done. e.g. "server ... { send-cookie no; };"


I fully support breaking resolution for such servers.  I'd rather have a
hard failure on my end that I can investigate, and work around if
necessary, than have my server wasting cycles trying to guess what sort of
broken state there is on the far end.   It would also give me the heads up
I need to contact the admin on the far end and report their servers' broken
behaviour.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Enforce EDNS

[Chuck Anderson]

On Tue, Feb 07, 2017 at 11:59:39AM +1100, Mark Andrews wrote:
> I really don't want to add new automatic work arounds for broken
> servers but it requires people being willing to accepting that
> lookups will fail.  That manual work arounds will now have to
> be done. e.g. "server ... { send-cookie no; };"
> 
> Servers not answering would EDNS or EDNS + DNS COOKIE would require
> operator intervention.

Break them.  That's the only way it will eventually get fixed.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Enforce EDNS

[Matus UHLAR - fantomas]

In message , Daniel Stirnimann 
writes:

Hello all,

Our resolver failed to contact an upstream name server as a result of
network connectivity issues. named retries eventually worked but as it
reverted back to not using EDNS and the answer should have been signed,
the query response failed to validate. Subsequent queries towards this
upstream name server were not utilizing EDNS as well because named
remembers a name servers capabilities for some time (See also
https://deepthought.isc.org/article/AA-00510/0)

My question is, can I enforce EDNS usage for a name server? I was
thinking of the 'edns' clause in the server settings [1]. However, this
is already enabled by default and only applies to an "attempt".


On 07.02.17 11:59, Mark Andrews wrote:

I've also been thinking about no longer falling back to plain DNS
on no answer.  False positives on not supporting EDNS impact on
DNSSEC resolution.  Most firewalls now pass EDNS and most of the
old Microsoft servers that don't answer a second EDNS request are
gone.  Any remaining servers would then need to be handled via
server ... { edns no; };

Unfortunately we then need to decide what to do with servers that
don't answer EDNS + DNS COOKIE queries.  Currently we fall back to
plain DNS which works except when there is a signed zone involved
and the server is validating.


fall back for how long? maybe for the same random time as RTT measurements
are done - remember for a while, but retry with edns on after.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Boost your system's speed by 500% - DEL C:\WINDOWS\*.*
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Enforce EDNS

[G.W. Haywood]

Hi there,

On Tue, 7 Feb 2017, Mark Andrews wrote:


I really don't want to add new automatic work arounds for broken
servers but it requires people being willing to accepting that
lookups will fail.  That manual work arounds will now have to be
done. e.g. "server ... { send-cookie no; };"


+2

--

73,
Ged.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Enforce EDNS

[Daniel Stirnimann]

> Named doesn't have a switch to force EDNS though I suppose we could
> add one to 9.12.  e.g. server ... { edns force; };

I would find this useful.

> I really don't want to add new automatic work arounds for broken
> servers but it requires people being willing to accepting that
> lookups will fail.  That manual work arounds will now have to
> be done. e.g. "server ... { send-cookie no; };"

I can only speak for the DNS resolvers I'm operating but I would be
willing to accept that. At some point in time, those broken name servers
need to be fixed. If more users start sending complaints to the name
server operator that might help.

Daniel
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Enforce EDNS

[Mark Andrews]

In message , Daniel Stirnimann 
writes:
> Hello all,
> 
> Our resolver failed to contact an upstream name server as a result of
> network connectivity issues. named retries eventually worked but as it
> reverted back to not using EDNS and the answer should have been signed,
> the query response failed to validate. Subsequent queries towards this
> upstream name server were not utilizing EDNS as well because named
> remembers a name servers capabilities for some time (See also
> https://deepthought.isc.org/article/AA-00510/0)
> 
> My question is, can I enforce EDNS usage for a name server? I was
> thinking of the 'edns' clause in the server settings [1]. However, this
> is already enabled by default and only applies to an "attempt".

Named doesn't have a switch to force EDNS though I suppose we could
add one to 9.12.  e.g. server ... { edns force; };

I've also been thinking about no longer falling back to plain DNS
on no answer.  False positives on not supporting EDNS impact on
DNSSEC resolution.  Most firewalls now pass EDNS and most of the
old Microsoft servers that don't answer a second EDNS request are
gone.  Any remaining servers would then need to be handled via
server ... { edns no; };

Unfortunately we then need to decide what to do with servers that
don't answer EDNS + DNS COOKIE queries.  Currently we fall back to
plain DNS which works except when there is a signed zone involved
and the server is validating.

I really don't want to add new automatic work arounds for broken
servers but it requires people being willing to accepting that
lookups will fail.  That manual work arounds will now have to
be done. e.g. "server ... { send-cookie no; };"

Servers not answering would EDNS or EDNS + DNS COOKIE would require
operator intervention.

Mark

> Daniel
> 
> [1]
> https://ftp.isc.org/isc/bind9/cur/9.11/doc/arm/Bv9ARM.ch06.html#server_statement_grammar
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users