[AusNOG] Anyone from SGE / Cybertrust care to comment?

Mark Andrews marka at isc.org
Wed Aug 24 18:56:31 EST 2016 

Anyone from SGE / Cybertrust care to comment about their DNS servers?

Below shows their servers are not EDNS (RFC6891) compliant despite
nominally being so.  They fail to respond to DNS queries with a
EDNS COOKIE option (RFC 7873) despite there being production recursive
servers that send queries with that option.  EDNS was designed to
allow clients to use new features without having to upgrade the
servers but that only works if you *answer* DNS queries and follow
the protocol.

The IPv6 support is only a single working server and has been like
that for months despite being told that they are not reachable.
This leaves anyone using DNS64 with a single working DNS server to
contact government servers.  If your servers don't work stop
publishing their addresses.

The DNS is a query / response protocol and it is the job of authoritive
servers to answer legitimate queries.  These servers are NOT doing
that job.  I'd love to know if the bureaucrat that approved the
contract with SGE / Cybertrust was aware that they where not getting
a full DNS service when they signed the agreement or the implications
of that.

Mark

EDNS Compliance Tester

Checking: 'accc.gov.au' as at 2016-08-24T08:31:14Z

accc.gov.au @152.91.11.1 (dns1.sge.net.): dns=ok edns=ok edns1=timeout edns at 512=ok ednsopt=timeout edns1opt=timeout do=ok ednsflags=ok edns at 512tcp=ok optlist=timeout
accc.gov.au @2403:e000::f002:1 (dns1.sge.net.): dns=ok edns=ok edns1=timeout edns at 512=ok ednsopt=timeout edns1opt=timeout do=ok ednsflags=ok edns at 512tcp=ok optlist=timeout
accc.gov.au @152.91.14.25 (dns2.sge.net.): dns=ok edns=ok edns1=timeout edns at 512=ok ednsopt=timeout edns1opt=timeout do=ok ednsflags=ok edns at 512tcp=ok optlist=timeout
accc.gov.au @2403:e000::f002:2 (dns2.sge.net.): dns=timeout edns=timeout edns1=timeout edns at 512=timeout ednsopt=timeout edns1opt=timeout do=timeout ednsflags=timeout edns at 512tcp=timeout optlist=timeout
accc.gov.au @203.2.208.3 (dns3.sge.net.): dns=ok edns=ok edns1=timeout edns at 512=ok ednsopt=timeout edns1opt=timeout do=ok ednsflags=ok edns at 512tcp=ok optlist=timeout
accc.gov.au @2403:e000::f002:3 (dns3.sge.net.): dns=timeout edns=timeout edns1=timeout edns at 512=timeout ednsopt=timeout edns1opt=timeout do=timeout ednsflags=timeout edns at 512tcp=timeout optlist=timeout
accc.gov.au @203.2.208.4 (dns4.sge.net.): dns=ok edns=ok edns1=timeout edns at 512=ok ednsopt=timeout edns1opt=timeout do=ok ednsflags=ok edns at 512tcp=ok optlist=timeout
accc.gov.au @2403:e000::f002:4 (dns4.sge.net.): dns=timeout edns=timeout edns1=timeout edns at 512=timeout ednsopt=timeout edns1opt=timeout do=timeout ednsflags=timeout edns at 512tcp=timeout optlist=timeout

The Following Tests Failed

Plain DNS (dns)

dig +norec +noad +noedns soa zone @server
expect: SOA
expect: NOERROR

Plain EDNS (edns)

dig +nocookie +norec +noad +edns=0 soa zone @server
expect: SOA
expect: NOERROR
expect: OPT record with version set to 0
expect: EDNS over IPv6
See RFC6891

EDNS - Unknown Version Handling (edns1)

dig +nocookie +norec +noad +edns=1 +noednsneg soa zone @server
expect: BADVERS
expect: OPT record with version set to 0
expect: not to see SOA
See RFC6891, 6.1.3. OPT Record TTL Field Use

EDNS - Truncated Response (edns at 512)

dig +nocookie +norec +noad +dnssec +bufsize=512 +ignore dnskey zone @server
expect: NOERROR
expect: OPT record with version set to 0
See RFC6891, 7. Transport Considerations

EDNS - Unknown Option Handling (ednsopt)

dig +nocookie +norec +noad +ednsopt=100 soa zone @server
expect: SOA
expect: NOERROR
expect: OPT record with version set to 0
expect: that the option will not be present in response
See RFC6891, 6.1.2 Wire Format

EDNS - Unknown Version with Unknown Option Handling (edns1opt)

dig +nocookie +norec +noad +edns=1 +noednsneg +ednsopt=100 soa zone @server
expect: BADVERS
expect: OPT record with version set to 0
expect: not to see SOA
expect: that the option will not be present in response
See RFC6891

EDNS - DO=1 (do)

dig +nocookie +norec +noad +dnssec soa zone @server
expect: SOA
expect: NOERROR
expect: OPT record with version set to 0
expect: DO flag in response if RRSIG is present in response
See RFC3225

EDNS - Unknown Flag Handling (ednsflags)

dig +nocookie +norec +noad +ednsflags=0x80 soa zone @server
expect: SOA
expect: NOERROR
expect: OPT record with version set to 0
expect: Z bits to be clear in response
See RFC6891, 6.1.4 Flags

EDNS - over TCP Response (edns at 512tcp)

dig +vc +nocookie +norec +noad +edns +dnssec +bufsize=512 dnskey zone @server
expect: NOERROR
expect: OPT record with version set to 0
See RFC5966 and See RFC6891

EDNS - Supported Options Probe (optlist)

dig +edns +noad +norec +nsid +subnet=0.0.0.0/0 +expire +cookie -q zone @server
expect: NOERROR
expect: OPT record with version set to 0
See RFC6891

Codes

ok - test passed.
timeout - lookup timed out.
To retrieve this report in the future: https://ednscomp.isc.org/ednscomp/2c176eb58a
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE:	+61 2 9871 4742		         INTERNET: marka at isc.org

More information about the AusNOG mailing list