Thanks Ralph. Going down that line of thought, is there any community
maintained list of generally trusted nameservers which support EDNS0
rather than starting a list from scratch?
I'll see if I can contact the admins of that nameserver to at least make
sure they're aware of the problem.
Take care,
-Dan
On 01/03/2018 08:43 AM, Ralph Dolmans via Unbound-users wrote:
Hi Dan,
Thanks for reporting. That nameserver is really broken. They indicate to
support EDNS0 and not support it at the same time. BADVERS must not be
used for unknown options. The nameserver answers to EDNS0 queries,
Unbound treats the server as if it can handle EDNS0. Unbound does not
try to send OPT records without EDNS options if things go wrong. This
really is an issue on the nameserver side, and should be fixed there.
You should not configure Unbound to send the ECS option to all available
addresses. ECS has "by design" serious issues, including disclosure of
privacy sensitive information and increasing the risk of cache poisoning
using a birthday attack. See section 11 of RFC7871. Sending ECS options
only to nameservers that support it is therefore advisable, and has the
extra benefit of not breaking on servers that don't properly handle
unknown EDNS options.
Regards,
-- Ralph
On 02-01-18 21:14, Dan McCombs via Unbound-users wrote:
Hello,
I've come across an authoritative that responds with BADVERS when edns
client subnet is sent in a query to it, for example it can only be
queried with dig if edns is turned off and no subnet is set:
fails:
dig www.tsp.gov @ns2.tsp.gov
; <<>> DiG 9.11.2 <<>> www.tsp.gov @ns2.tsp.gov
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: BADVERS, id: 44363
;; flags: qr rd ad; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; Query time: 18 msec
;; SERVER: 74.113.204.34#53(74.113.204.34)
;; WHEN: Tue Jan 02 15:09
fails:
dig +noedns www.tsp.gov @ns2.tsp.gov +subnet=162.88.100.192
; <<>> DiG 9.11.2 <<>> +noedns www.tsp.gov @ns2.tsp.gov
+subnet=162.88.100.192
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: BADVERS, id: 60645
;; flags: qr rd ad; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; Query time: 19 msec
;; SERVER: 74.113.204.34#53(74.113.204.34)
;; WHEN: Tue Jan 02 15:10:21 EST 2018
;; MSG SIZE rcvd: 23
works:
dig +noedns www.tsp.gov @ns2.tsp.gov
; <<>> DiG 9.11.2 <<>> +noedns www.tsp.gov @ns2.tsp.gov
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50317
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;www.tsp.gov. IN A
;; ANSWER SECTION:
www.tsp.gov. 900 IN A 74.113.204.129
;; AUTHORITY SECTION:
tsp.gov. 900 IN NS ns1.tsp.gov.
tsp.gov. 900 IN NS ns2.tsp.gov.
;; ADDITIONAL SECTION:
ns1.tsp.gov. 900 IN A 74.113.206.34
ns2.tsp.gov. 900 IN A 74.113.204.34
;; Query time: 19 msec
;; SERVER: 74.113.204.34#53(74.113.204.34)
;; WHEN: Tue Jan 02 15:10:38 EST 2018
;; MSG SIZE rcvd: 113
When I query this host through an Unbound resolver with edns client
subnet enabled for 0.0.0.0, it returns a SERVFAIL. Removing
send-client-subnet from the Unbound's config allows it to resolve.
Is there any config I'm missing to allow Unbound to fallback to querying
without edns client subnet if a query with it fails? Or is there a way
to blacklist just those authoritatives without having to whitelist all
other subnets?
Thanks,
-Dan
