[AusNOG] Azure now supporting Ipv6

Thu Sep 29 09:26:04 EST 2016

Now for them to use EDNS compliant nameservers.  How hard is it to
check that your nameservers actually follow the EDNS protocol.

harveynorman.com.au @40.90.4.5 (ns1-05.azure-dns.com.): dns=ok edns=ok edns1=status edns at 512=ok ednsopt=echoed edns1opt=status do=ok ednsflags=ok edns at 512tcp=ok optlist=subnet
harveynorman.com.au @64.4.48.5 (ns2-05.azure-dns.net.): dns=ok edns=ok edns1=status edns at 512=ok ednsopt=echoed edns1opt=status do=ok ednsflags=ok edns at 512tcp=ok optlist=subnet
harveynorman.com.au @13.107.24.5 (ns3-05.azure-dns.org.): dns=ok edns=ok edns1=status edns at 512=ok ednsopt=echoed edns1opt=status do=ok ednsflags=ok edns at 512tcp=ok optlist=subnet
harveynorman.com.au @13.107.160.5 (ns4-05.azure-dns.info.): dns=ok edns=ok edns1=status edns at 512=ok ednsopt=echoed edns1opt=status do=ok ednsflags=ok edns at 512tcp=ok optlist=subnet

There are only 3 possible extension mechanisms and all 3 have
instuctions on how to handle requests using those extension mechanisms
that you don't know about.  See RFC 6891.

EDNS version increase -> return BADVERS with the highest version you support
EDNS option -> ignore options you do not understand (don't copy them into the response)
EDNS flags -> ignore flags you do not understand (don't copy them into the response)

This misbehaviour already means that it has become impossible to
count how many servers support the ECS option.

Please check your servers to ensure that they are EDNS compliant
and if they are not FIX them.  Only 60% of Australian DNS servers
that nominally support EDNS are actually EDNS compliant.

https://ednscomp.isc.org/ednscomp/

Two of the extension mechanisms are in use today.  Queries from
recursive servers do have EDNS options present and they do have
EDNS flag bits set.  There is zero reason not to expect all three
extension mechanism will be used in the future.

Only idiots drop DNS queries with EDNS extension present.  Even the
firewall vendors are removing code that does so.  EDNS was designed
to allow clients to start using now options, flags and versions
without having to upgrade the servers and if you DNS server is EDNS
compliant they will cause you no harm.

Just because a EDNS option, flag or version is defined, it doesn't
mean you have to support it.  You do however need to correctly
respond to it.

Mark

In message <CAGq70SK5PmEXTnMqa0Ukt6NDjJ4qBk9p6XBRzZH=2TwGn3-JRA at mail.gmail.com>, Russell Langton writes:
> 
> Hi All,
> 
> Saw this the other day;
> 
> https://azure.microsoft.com/en-us/blog/azure-networking-announcements-for-ignite-2016/
> 
> "Azure now supports Native IPv6 network connectivity for applications and
> services hosted on Azure Virtual Machines. The demand for IPv6 has never
> been greater with the explosive growth in mobile devices, billions of
> Internet of Things (IOT) devices entering the market, along with new
> compliance regulations. IPv6 has been used by internal Microsoft services
> such as Office 365 for over three years. We are now offering this feature
> to all Azure customers. Native IPv6 connectivity to the virtual machine is
> available for both Windows and Linux VMs."
> 
> There is a linked page about further details about the load-balancing.
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org