[AusNOG] DNS test tool feedback

Mark Andrews marka at isc.org
Sat Aug 2 10:19:21 EST 2014 

If one really want to test DNS servers you need to test with

EDNS
	Should get a response.
	Should not have extra bytes at the end.
EDNS + unknown/unsupported options
	Should ignore the options.  It SHOULD NOT be echoed back.
EDNS w/ unsuppored version
	Should return BADVERS
EDNS at 512
	Should have a EDNS response even when truncated.
EDNS at 512 over TCP with a answer that was truncated at 512 over UDP
	Respone should be complete and not limited to 512 bytes.
	(the .FOO and .SOY servers are currently broken in this respect
	 compare
		 dig DNSKEY zone +bufsize=512 +dnssec +tcp @server
	 and
		 dig DNSKEY zone +dnssec +tcp @server)

You need to test with AD=1 set
You need to test with CD=1 set

You need to test with unknown types for a name that is known to exist.

	NOERROR NODATA is the correct response, not NXDOMAIN, not FORMERR,
	not NOTIMP with maybe the execption of a unknown meta type unless
	the is a CNAME at the name in which case a CNAME should always be
	returned.  For a NOERROR NODATA response the SOA needs to match
	the delegation.

	Also test with TXT, MX, SOA and NS as some load balancers get the
	reponses to these well known types wrong.  NOTIMP is not correct.
	(If you don't "support" these types then you should refuse to load
	a zone that contains them (RFC 1034 or RFC 1035) If the zone has
	loaded the they can't be found in the database and the correct
	RFC 1034 response is NOERROR).  Similarly AAAA.

DNS is a query response protocol.  You should get a response to every query.
If you don't get a response the server is broken.

The SOA record should match the delegation with negative responses.

If the server has a IPv6 address it is required to support EDNS.  EDNS
support is a IPv6 node requirement.

If you want to know why you DNS is slow, your recursive server is trying
to deal with all this breakage from authorative servers.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the AusNOG mailing list