subject:"EDNS, 9.12 and archives.gov"

Re: EDNS, 9.12 and archives.gov

2018-04-11 Thread Mark Boolootian

Thank you Mark.  Your insight and detail is
always helpful and immensely appreciated.  For
what it's worth, I will make it a point to reach
out to the relevant parties to grouse to the
extent possible about the damage done by
DNS servers authoritative for DNSSEC signed
zones that aren't properly supporting EDNS.

many thanks,
mark
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: EDNS, 9.12 and archives.gov

2018-04-11 Thread Mark Andrews

Archives.org is served by the following servers.

archives.gov.   300 IN  NS  sauthns1.qwest.net.
archives.gov.   300 IN  NS  sauthns2.qwest.net.

Those servers return BADVERS to EDNS(0) queries with a EDNS option
present.  BADVERS is NEVER a valid rcode to a EDNS(0) request because
there is no EDNS version smaller than version 0.  BADVERS was defined
in RFC 2671.  Its purpose is to negotiate the highest common EDNS
version the client and server support which is determined by the
version field in the EDNS request.

Now RFC 2671 didn’t explicitly specify how to handle unknown EDNS
options but STD 13 has a catch all rcode (FORMERR) for how to answer
unknown messages.

RFC 2671 has subsequently been replaced by RFC 6891 which explicitly
says to ignore unknown EDNS options.

Named treats BADVERS to a EDNS(0) query as a indication that the
server DOES NOT UNDERSTAND EDNS as it is a response that should never
appear and retries the query without a EDNS option present.  This is
fine if the data being served is from a unsigned zone.  This, however,
DOES NOT WORK when with DNSSEC as DNSSEC REQUIRES EDNS to send the DO=1
bit to the server to get a DNSSEC response.

QWEST were informed years ago that their servers are broken.  Making
up stuff is not the way to get inter operability. 

The best thing archive.gov can do now is find a DNS provider that
uses DNS servers that follow the DNS protocol.

Mark

On 12 Apr 2018, at 4:28 am, Mark Boolootian  wrote:
> 
> 
> 
> Hi folks,
> 
> I upgraded out of 9.10 and into 9.12
> last week.  Subsequent to that, I received
> complaints about hosts in archives.gov
> failing to resolve.
> 
> We run validating recursive servers, and
> archives.gov is signed.  
> 
> I've poked at this but concluded I lack
> enough DNS foo to understand the specifics
> of the trouble.  It seems clear that archives.gov
> isn't fully baked when it comes to EDNS:
> 
> https://ednscomp.isc.org/ednscomp/77e4f9ead1
> 
> and I suspect that is what causes the resolution
> failures.
> 
> I've read the thread on "Enforce EDNS".  I've
> tried reaching out to the standard RFC2142
> aliases at archives.gov, but it looks like most of
> them bounce.  I'm not feeling particularly optimistic
> about being able to effect change on that end,
> even if I got an answer.
> 
> I'm wondering if anyone from this august group
> can clue me in to how I might config around this
> issue for the archives.gov servers (assuming that
> is possible).
> 
> Any help greatly appreciated.
> 
> best regards,
> mark
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742  INTERNET: ma...@isc.org

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: EDNS, 9.12 and archives.gov

2018-04-11 Thread Mark Boolootian

Ah, you are awesome Carl!  Thank
you!!   And doh, stupid me.  I was
emailing the wrong people.

On Wed, Apr 11, 2018 at 11:45 AM, Carl Byington  wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
>
> On Wed, 2018-04-11 at 11:28 -0700, Mark Boolootian wrote:
>
>
>> I'm wondering if anyone from this august group
>> can clue me in to how I might config around this
>> issue for the archives.gov servers (assuming that
>> is possible).
>
> // 9-11commission.gov. servers that don't understand edns options
> // dns-ad...@qwestip.net.
> // dig 9-11commission.gov. ns @63.150.72.5 +norecur   +cookie
> // dig 9-11commission.gov. ns @63.150.72.5 +norecur +nocookie
> server 63.150.72.5 { send-cookie no; };
>
> // 9-11commission.gov. servers that don't understand edns options
> // dns-ad...@qwestip.net.
> // dig 9-11commission.gov. ns @208.44.130.121 +norecur   +cookie
> // dig 9-11commission.gov. ns @208.44.130.121 +norecur +nocookie
> server 208.44.130.121 { send-cookie no; };
>
> // 9-11commission.gov. servers that don't understand edns options
> // dns-ad...@qwestip.net.
> // dig 9-11commission.gov. ns @2001:428::7 +norecur   +cookie
> // dig 9-11commission.gov. ns @2001:428::7 +norecur +nocookie
> server 2001:428::7 { send-cookie no; };
>
> // 9-11commission.gov. servers that don't understand edns options
> // dns-ad...@qwestip.net.
> // dig 9-11commission.gov. ns @2001:428::8 +norecur   +cookie
> // dig 9-11commission.gov. ns @2001:428::8 +norecur +nocookie
> server 2001:428::8 { send-cookie no; };
>
>
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v2.0.14 (GNU/Linux)
>
> iEYEAREKAAYFAlrOV5kACgkQL6j7milTFsHwXgCdGtc+HMAMopcL3OpGQDGkOFML
> WdgAoIAGfex0ROijOL0cHU3TfyJ2qB7J
> =AIXG
> -END PGP SIGNATURE-
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: EDNS, 9.12 and archives.gov

2018-04-11 Thread Carl Byington

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On Wed, 2018-04-11 at 11:28 -0700, Mark Boolootian wrote:

> I'm wondering if anyone from this august group
> can clue me in to how I might config around this
> issue for the archives.gov servers (assuming that
> is possible).

// 9-11commission.gov. servers that don't understand edns options
// dns-ad...@qwestip.net.
// dig 9-11commission.gov. ns @63.150.72.5 +norecur   +cookie
// dig 9-11commission.gov. ns @63.150.72.5 +norecur +nocookie
server 63.150.72.5 { send-cookie no; };

// 9-11commission.gov. servers that don't understand edns options
// dns-ad...@qwestip.net.
// dig 9-11commission.gov. ns @208.44.130.121 +norecur   +cookie
// dig 9-11commission.gov. ns @208.44.130.121 +norecur +nocookie
server 208.44.130.121 { send-cookie no; };

// 9-11commission.gov. servers that don't understand edns options
// dns-ad...@qwestip.net.
// dig 9-11commission.gov. ns @2001:428::7 +norecur   +cookie
// dig 9-11commission.gov. ns @2001:428::7 +norecur +nocookie
server 2001:428::7 { send-cookie no; };

// 9-11commission.gov. servers that don't understand edns options
// dns-ad...@qwestip.net.
// dig 9-11commission.gov. ns @2001:428::8 +norecur   +cookie
// dig 9-11commission.gov. ns @2001:428::8 +norecur +nocookie
server 2001:428::8 { send-cookie no; };

-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEAREKAAYFAlrOV5kACgkQL6j7milTFsHwXgCdGtc+HMAMopcL3OpGQDGkOFML
WdgAoIAGfex0ROijOL0cHU3TfyJ2qB7J
=AIXG
-END PGP SIGNATURE-

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

EDNS, 9.12 and archives.gov

2018-04-11 Thread Mark Boolootian

Hi folks,

I upgraded out of 9.10 and into 9.12
last week.  Subsequent to that, I received
complaints about hosts in archives.gov
failing to resolve.

We run validating recursive servers, and
archives.gov is signed.

I've poked at this but concluded I lack
enough DNS foo to understand the specifics
of the trouble.  It seems clear that archives.gov
isn't fully baked when it comes to EDNS:

https://ednscomp.isc.org/ednscomp/77e4f9ead1

and I suspect that is what causes the resolution
failures.

I've read the thread on "Enforce EDNS".  I've
tried reaching out to the standard RFC2142
aliases at archives.gov, but it looks like most of
them bounce.  I'm not feeling particularly optimistic
about being able to effect change on that end
,
even if I got an answer.

I'm wondering if anyone from this august group
can clue me in to how I might config around this
issue for the archives.gov servers (assuming that
is possible).

Any help greatly appreciated.

best regards,
mark
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: EDNS, 9.12 and archives.gov

Re: EDNS, 9.12 and archives.gov

Re: EDNS, 9.12 and archives.gov

Re: EDNS, 9.12 and archives.gov

EDNS, 9.12 and archives.gov

5 matches

Site Navigation

Mail list logo

Footer information