Re: EDNS, 9.12 and archives.gov
Thank you Mark. Your insight and detail is always helpful and immensely appreciated. For what it's worth, I will make it a point to reach out to the relevant parties to grouse to the extent possible about the damage done by DNS servers authoritative for DNSSEC signed zones that aren't properly supporting EDNS. many thanks, mark ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: EDNS, 9.12 and archives.gov
Archives.org is served by the following servers. archives.gov. 300 IN NS sauthns1.qwest.net. archives.gov. 300 IN NS sauthns2.qwest.net. Those servers return BADVERS to EDNS(0) queries with a EDNS option present. BADVERS is NEVER a valid rcode to a EDNS(0) request because there is no EDNS version smaller than version 0. BADVERS was defined in RFC 2671. Its purpose is to negotiate the highest common EDNS version the client and server support which is determined by the version field in the EDNS request. Now RFC 2671 didn’t explicitly specify how to handle unknown EDNS options but STD 13 has a catch all rcode (FORMERR) for how to answer unknown messages. RFC 2671 has subsequently been replaced by RFC 6891 which explicitly says to ignore unknown EDNS options. Named treats BADVERS to a EDNS(0) query as a indication that the server DOES NOT UNDERSTAND EDNS as it is a response that should never appear and retries the query without a EDNS option present. This is fine if the data being served is from a unsigned zone. This, however, DOES NOT WORK when with DNSSEC as DNSSEC REQUIRES EDNS to send the DO=1 bit to the server to get a DNSSEC response. QWEST were informed years ago that their servers are broken. Making up stuff is not the way to get inter operability. The best thing archive.gov can do now is find a DNS provider that uses DNS servers that follow the DNS protocol. Mark On 12 Apr 2018, at 4:28 am, Mark Boolootianwrote: > > > > Hi folks, > > I upgraded out of 9.10 and into 9.12 > last week. Subsequent to that, I received > complaints about hosts in archives.gov > failing to resolve. > > We run validating recursive servers, and > archives.gov is signed. > > I've poked at this but concluded I lack > enough DNS foo to understand the specifics > of the trouble. It seems clear that archives.gov > isn't fully baked when it comes to EDNS: > > https://ednscomp.isc.org/ednscomp/77e4f9ead1 > > and I suspect that is what causes the resolution > failures. > > I've read the thread on "Enforce EDNS". I've > tried reaching out to the standard RFC2142 > aliases at archives.gov, but it looks like most of > them bounce. I'm not feeling particularly optimistic > about being able to effect change on that end, > even if I got an answer. > > I'm wondering if anyone from this august group > can clue me in to how I might config around this > issue for the archives.gov servers (assuming that > is possible). > > Any help greatly appreciated. > > best regards, > mark > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: EDNS, 9.12 and archives.gov
Ah, you are awesome Carl! Thank you!! And doh, stupid me. I was emailing the wrong people. On Wed, Apr 11, 2018 at 11:45 AM, Carl Byingtonwrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > On Wed, 2018-04-11 at 11:28 -0700, Mark Boolootian wrote: > > >> I'm wondering if anyone from this august group >> can clue me in to how I might config around this >> issue for the archives.gov servers (assuming that >> is possible). > > // 9-11commission.gov. servers that don't understand edns options > // dns-ad...@qwestip.net. > // dig 9-11commission.gov. ns @63.150.72.5 +norecur +cookie > // dig 9-11commission.gov. ns @63.150.72.5 +norecur +nocookie > server 63.150.72.5 { send-cookie no; }; > > // 9-11commission.gov. servers that don't understand edns options > // dns-ad...@qwestip.net. > // dig 9-11commission.gov. ns @208.44.130.121 +norecur +cookie > // dig 9-11commission.gov. ns @208.44.130.121 +norecur +nocookie > server 208.44.130.121 { send-cookie no; }; > > // 9-11commission.gov. servers that don't understand edns options > // dns-ad...@qwestip.net. > // dig 9-11commission.gov. ns @2001:428::7 +norecur +cookie > // dig 9-11commission.gov. ns @2001:428::7 +norecur +nocookie > server 2001:428::7 { send-cookie no; }; > > // 9-11commission.gov. servers that don't understand edns options > // dns-ad...@qwestip.net. > // dig 9-11commission.gov. ns @2001:428::8 +norecur +cookie > // dig 9-11commission.gov. ns @2001:428::8 +norecur +nocookie > server 2001:428::8 { send-cookie no; }; > > > -BEGIN PGP SIGNATURE- > Version: GnuPG v2.0.14 (GNU/Linux) > > iEYEAREKAAYFAlrOV5kACgkQL6j7milTFsHwXgCdGtc+HMAMopcL3OpGQDGkOFML > WdgAoIAGfex0ROijOL0cHU3TfyJ2qB7J > =AIXG > -END PGP SIGNATURE- > > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: EDNS, 9.12 and archives.gov
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On Wed, 2018-04-11 at 11:28 -0700, Mark Boolootian wrote: > I'm wondering if anyone from this august group > can clue me in to how I might config around this > issue for the archives.gov servers (assuming that > is possible). // 9-11commission.gov. servers that don't understand edns options // dns-ad...@qwestip.net. // dig 9-11commission.gov. ns @63.150.72.5 +norecur +cookie // dig 9-11commission.gov. ns @63.150.72.5 +norecur +nocookie server 63.150.72.5 { send-cookie no; }; // 9-11commission.gov. servers that don't understand edns options // dns-ad...@qwestip.net. // dig 9-11commission.gov. ns @208.44.130.121 +norecur +cookie // dig 9-11commission.gov. ns @208.44.130.121 +norecur +nocookie server 208.44.130.121 { send-cookie no; }; // 9-11commission.gov. servers that don't understand edns options // dns-ad...@qwestip.net. // dig 9-11commission.gov. ns @2001:428::7 +norecur +cookie // dig 9-11commission.gov. ns @2001:428::7 +norecur +nocookie server 2001:428::7 { send-cookie no; }; // 9-11commission.gov. servers that don't understand edns options // dns-ad...@qwestip.net. // dig 9-11commission.gov. ns @2001:428::8 +norecur +cookie // dig 9-11commission.gov. ns @2001:428::8 +norecur +nocookie server 2001:428::8 { send-cookie no; }; -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.14 (GNU/Linux) iEYEAREKAAYFAlrOV5kACgkQL6j7milTFsHwXgCdGtc+HMAMopcL3OpGQDGkOFML WdgAoIAGfex0ROijOL0cHU3TfyJ2qB7J =AIXG -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
EDNS, 9.12 and archives.gov
Hi folks, I upgraded out of 9.10 and into 9.12 last week. Subsequent to that, I received complaints about hosts in archives.gov failing to resolve. We run validating recursive servers, and archives.gov is signed. I've poked at this but concluded I lack enough DNS foo to understand the specifics of the trouble. It seems clear that archives.gov isn't fully baked when it comes to EDNS: https://ednscomp.isc.org/ednscomp/77e4f9ead1 and I suspect that is what causes the resolution failures. I've read the thread on "Enforce EDNS". I've tried reaching out to the standard RFC2142 aliases at archives.gov, but it looks like most of them bounce. I'm not feeling particularly optimistic about being able to effect change on that end , even if I got an answer. I'm wondering if anyone from this august group can clue me in to how I might config around this issue for the archives.gov servers (assuming that is possible). Any help greatly appreciated. best regards, mark ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users