RE: When does BIND send queries with DO flag enabled?

2010-09-30 Thread Taylor, Gord

Thanks. It took a long time to sort out the root cause because EDNS0
(dig @host record.sample +edns=0) caused no problems, only +dnssec
caused failures. The business partner has already fixed their firewall
(allow_dnssec_bit=1 on CheckPoint), but I wanted to understand the root
cause in order to proactively prevent future problems.

Kalman - thanks I'll check the mailing list history. I did that before
posting, but couldn't find the right set of keywords to find the chain
you're referencing.

Kevin (et.al.) - apologies for the legal notice. It's added at our SMTP
gateway, so not something I can control on a per-message basis either.
If I could get to my webmail account (also blocked) I'd send from there.
Welcome to corporate environments...


-Original Message-
From: Evan Hunt [mailto:e...@isc.org] 
Sent: 2010, September, 29 7:25 PM
To: Taylor, Gord
Cc: bind-us...@isc.org
Subject: Re: When does BIND send queries with DO flag enabled?

 Can someone explain when BIND sets DO flag and when it won't? Most of 
 my client workstations are XPSP3, and NONE of the queries coming from 
 those clients have DO flag set.

The DO bit is part of the EDNS option record, and some servers (and more
to the point, some firewalls) are broken and don't understand EDNS.
When BIND doesn't initially get an answer to a query, it retries in
different ways, and eventually (on the third try, if I recall correctly)
it tries omitting the EDNS option.  No EDNS means no DO bit, and I'm
pretty sure that's what you're seeing on the trace.

--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___

This e-mail may be privileged and/or confidential, and the sender does not waive
any related rights and obligations. Any distribution, use or copying of this 
e-mail or the information
it contains by other than an intended recipient is unauthorized.
If you received this e-mail in error, please advise me (by return e-mail or 
otherwise) immediately.

Ce courriel peut contenir des renseignements protégés et confidentiels.
L’expéditeur ne renonce pas aux droits et obligations qui s’y rapportent.
Toute diffusion, utilisation ou copie de ce courriel ou des renseignements 
qu’il contient
par une personne autre que le destinataire désigné est interdite.
Si vous recevez ce courriel par erreur, veuillez m’en aviser immédiatement, 
par retour de courriel ou par un autre moyen.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: When does BIND send queries with DO flag enabled?

2010-09-30 Thread Tony Finch
On Thu, 30 Sep 2010, Taylor, Gord wrote:

 The business partner has already fixed their firewall
 (allow_dnssec_bit=1 on CheckPoint)

Just in case anyone else is worried about interop problems, I note that
allow_dnssec_bit=1 is the default setting. A CheckPoint firewall
administrator has to deliberately change a correct default in order to
cause this kind of serious breakage.

Tony.
-- 
f.anthony.n.finch  d...@dotat.at  http://dotat.at/
HUMBER THAMES DOVER WIGHT PORTLAND: NORTH BACKING WEST OR NORTHWEST, 5 TO 7,
DECREASING 4 OR 5, OCCASIONALLY 6 LATER IN HUMBER AND THAMES. MODERATE OR
ROUGH. RAIN THEN FAIR. GOOD.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: When does BIND send queries with DO flag enabled?

2010-09-29 Thread Kevin Oberman
 Date: Wed, 29 Sep 2010 15:51:55 -0400
 From: Taylor, Gord gord.tay...@rbc.com
 Sender: bind-users-bounces+oberman=es@lists.isc.org
 
 
 We recently ran into an intermittent problem sending queries to a
 business partner. Turns out they had CheckPoint firewalls with
 SmartDefense turned of for DNS traffic. This was blocking traffic going
 to them with DO flag enabled. I could duplicate the problem from a
 command line by issuing dig @partner hostname +DNSSEC and this failed
 everytime. When querying through the DNS server though using NSLOOKUP on
 WinXP, the resolution was hit-and-miss. Watching a sniffer trace,
 sometimes BIND 9.4.1-P1 would send with DO flag enabled, and other times
 without.
 
 I know this is an older version of BIND, and lots of bugs fixed in newer
 versions. However, looking at sniffer traces from 9.7.0-P2 shows the
 same behavior = sometimes DO is set and sometimes not set.
 
 Can someone explain when BIND sets DO flag and when it won't? Most of my
 client workstations are XPSP3, and NONE of the queries coming from those
 clients have DO flag set.
 
 Any help is appreciated...
 
 Gord Taylor (CISSP, GCIH, GEEK)

Gee, an annoying and stupid legal notices at the end of a mail message
is even more annoying when it is in several languages. (Yes, I
understand that some totally clueless lawyer earning a LOT more for not
thinking than you do for thinking is not your fault, but it's still
REALLY ANNOYING!)

The DO bit is set by default for the simple reason that your server is
DNSSEC capable. The DO bit says DNSSEC OK and is simply declaring that
the server is capable of handing (though not necessarily validating)
responses containing DNSSEC RRs. See RFC3225.

I assume that setting dnssec-enable to no will turn this bit off, but
please get the broken firewall fixed!

As to not always sending DO, I believe that is dependent on the query
from the client. It would depend on the source of the query. If it was
from the server to get data that would not be sent back to the client, I
imagine the DO bit would be set. (NS lookups during recursion would be
an example), while queries for return to the client will probably
follow the state of the DO bit seen in the query from the client. I'd
guess WINXP is not setting DO. I suspect WIN7 would.

This last section is largely an educated guess. I don't have time now to
read up on those details in the RFCs.

Again, get the @#$% firewall fixed! As time goes on, more and more
queries will be blocked by it as DNSSEC moves to the mainstream.
-- 
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: ober...@es.net  Phone: +1 510 486-8634
Key fingerprint:059B 2DDF 031C 9BA3 14A4  EADA 927D EBB3 987B 3751
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: When does BIND send queries with DO flag enabled?

2010-09-29 Thread Kalman Feher



On 29/09/10 10:30 PM, Kevin Oberman ober...@es.net wrote:

 Date: Wed, 29 Sep 2010 15:51:55 -0400
 From: Taylor, Gord gord.tay...@rbc.com
 Sender: bind-users-bounces+oberman=es@lists.isc.org
 
 
 We recently ran into an intermittent problem sending queries to a
 business partner. Turns out they had CheckPoint firewalls with
 SmartDefense turned of for DNS traffic. This was blocking traffic going
 to them with DO flag enabled. I could duplicate the problem from a
 command line by issuing dig @partner hostname +DNSSEC and this failed
 everytime. When querying through the DNS server though using NSLOOKUP on
 WinXP, the resolution was hit-and-miss. Watching a sniffer trace,
 sometimes BIND 9.4.1-P1 would send with DO flag enabled, and other times
 without.
 
 I know this is an older version of BIND, and lots of bugs fixed in newer
 versions. However, looking at sniffer traces from 9.7.0-P2 shows the
 same behavior = sometimes DO is set and sometimes not set.
 
 Can someone explain when BIND sets DO flag and when it won't? Most of my
 client workstations are XPSP3, and NONE of the queries coming from those
 clients have DO flag set.
 
 Any help is appreciated...
 
 Gord Taylor (CISSP, GCIH, GEEK)
 
 Gee, an annoying and stupid legal notices at the end of a mail message
 is even more annoying when it is in several languages. (Yes, I
 understand that some totally clueless lawyer earning a LOT more for not
 thinking than you do for thinking is not your fault, but it's still
 REALLY ANNOYING!)
 
 The DO bit is set by default for the simple reason that your server is
 DNSSEC capable. The DO bit says DNSSEC OK and is simply declaring that
 the server is capable of handing (though not necessarily validating)
 responses containing DNSSEC RRs. See RFC3225.
 
 I assume that setting dnssec-enable to no will turn this bit off, but
 please get the broken firewall fixed!
This is actually not the case, although it is understandable you would think
it is the way things _should_ work. DO is set when the resolver has EDNS0
enabled. So that is the only way to turn it off (disable EDNS0). Turning off
EDNS0 is likely to effect a lot more than DNSSEC. I wouldn't recommend it.

A discussion on this topic was held within this mailing list (June 2010
IIRC) with Jinmei and Evan from ISC providing the insight regarding BIND's
behaviour. There was further discussion behind the reasoning for this choice
as well.

Nevertheless your point is valid, fixing the firewall is the only
alternative in my opinion. EDNS0 is not a new technology (10 years I think).
Would you use a security product still basing its policies on a time when
windows 98 was cutting edge?

 
 As to not always sending DO, I believe that is dependent on the query
 from the client. It would depend on the source of the query. If it was
 from the server to get data that would not be sent back to the client, I
 imagine the DO bit would be set. (NS lookups during recursion would be
 an example), while queries for return to the client will probably
 follow the state of the DO bit seen in the query from the client. I'd
 guess WINXP is not setting DO. I suspect WIN7 would.
 
 This last section is largely an educated guess. I don't have time now to
 read up on those details in the RFCs.
 
 Again, get the @#$% firewall fixed! As time goes on, more and more
 queries will be blocked by it as DNSSEC moves to the mainstream.

-- 
Kal Feher 

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: When does BIND send queries with DO flag enabled?

2010-09-29 Thread Evan Hunt
 Can someone explain when BIND sets DO flag and when it won't? Most of my
 client workstations are XPSP3, and NONE of the queries coming from those
 clients have DO flag set.

The DO bit is part of the EDNS option record, and some servers (and more to
the point, some firewalls) are broken and don't understand EDNS.  When BIND
doesn't initially get an answer to a query, it retries in different ways,
and eventually (on the third try, if I recall correctly) it tries omitting
the EDNS option.  No EDNS means no DO bit, and I'm pretty sure that's what
you're seeing on the trace.

--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users