Re: [dns-operations] DHL.com failures

2023-10-04 Thread Viktor Dukhovni 
On Wed, Oct 04, 2023 at 04:46:42PM +0200, Martin Wismer wrote:

> we could get answer from all of the dhl.com NS RR TXT.  It's a big
> Answer, biger than 2200 Byte. May be they have rate-limit's on it.

That's not the issue.  The OP also reported that answers arrive when no
EDNS options are used (no NSID and no COOKIEs), but EDNS option
intolerance is EDNS-noncompliance.  Unsupported options must be simply
ignored, rather than cause the query to be dropped.

-- 
Viktor.
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Re: [dns-operations] DHL.com failures

2023-10-04 Thread Martin Wismer 

Hello
we could get answer from all of the dhl.com NS RR TXT.
It's a big Answer, biger than 2200 Byte. May be they have rate-limit's 
on it.

Regards
  Martin.Wismer.
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Re: [dns-operations] DHL.com failures

2023-10-04 Thread Viktor Dukhovni 
On Wed, Oct 04, 2023 at 03:10:13PM +0200, Borja Marcos via dns-operations wrote:

> dhl.com/TXT: No response was received from the server over UDP (tried
> 7 times) until the NSID EDNS option was removed (however, this server
> appeared to respond legitimately to other queries with the NSID EDNS
> option present).

Also, the NS RRset at the ".COM" parent zone has only 3 of the six
nameservers listed at the child zone apex.  And the text RRset is rather
rich with "domain verification" tokens, perhaps at least some need not
be persisted after the initial verification?

-- 
Viktor.
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

[dns-operations] DHL.com failures

2023-10-04 Thread Borja Marcos via dns-operations 
--- Begin Message ---

Maybe someone from DHL can come to the courtesy phone? 

Our TXT queries are failing because their EDNS implementation is faulty.

(from dnsviz.net )

dhl.com/TXT: No response was received from the server over UDP (tried 7 times) 
until the NSID EDNS option was removed (however, this server appeared to 
respond legitimately to other queries with the NSID EDNS option present).


We have disabled DNS cookies when querying their authoritative servers but, 
well, I’d rather enable them again.

Cheers,




Borja Marcos.



--- End Message ---
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations