[AusNOG] Azure now supporting Ipv6
Mark Andrews
marka at isc.org
Thu Sep 29 12:52:03 EST 2016
In message <CAM1C4G=wEvXw5ujigzngAj=i0zCZihPA3L4-gGQA08Er1kXNug at mail.gmail.com>, Anand Kumria writes:
> Hi Mark,
>
> I generally ignore your emails since they always seem to hijack other
> threads.
I also generate independent threads.
> Worse they focus on details not pertinent to the original thread.
>
> In this case, I thought I'd check out the link and give you some feedback
> about it:
>
> - Why is the design stuck in the '90s? It is the 21st century already.
> - Where is the explanation of *WHY* this is a useful thing to check.
> Everyone knows you like to write emails but do you really want to be
> repeating yourself every time?
Because your clients DNS lookups may break when they use the extension
features unless your servers are compliant. If they don't break
they will be slower.
BIND 9.10.4 and BIND 9.11.0 support EDNS COOKIES (BIND 9.10.4 via
a configure option, BIND 9.11.0 it is on by default) with a aim to
reduce the ability to spoof responses, and for servers to be able
to pick out non spoofed clients from spoofed traffic.
Because we don't want what has happened to the AD bit to be repeated
with the other currently reserved bits where you can't trust the
returned state of AD to mean anything.
Because we don't want what has happened with ECS to happen with
other options.
Because when the EDNS version is bumped we don't want servers to
be returning answers that could be misinterperted as something else.
> - Why can't the web page explain LDH (I know what it means, but who else
> here does? HTML has had <abbr> since forever )
Will add.
> - Colour. It is a thing. Why can't you use it to output red/orange/green.
The web page is in colour (orange/red) but it still has to work for
the colour blind which is why there is text.
You can cut-and-paste the website output into a email and have a
useful monochrome report.
> - Speed. 10 seconds to check isc.org?! Again, 21st century and all that.
Because it is doing it in real time as the machine is actually
running lots of other checks as well. With Amazon no longer dropping
lots of queries the level of parallelism in the checks needs to
drop but it will be a couple of weeks until the current run completes.
> - Why isn't there an example of a *good* domain? (e.g. isc.org, <other
> prominent organisations>)
So a series of value=ok is not enough?
> - Why not use the HTML5 placeholder attribute? It has been standardised
> for longer than the EDNS rfc.
>
> I am sure I could nitpick a bunch of other, unrelated things as well.
>
> Thanks,
> Anand
>
>
>
> On 29 September 2016 at 09:26, Mark Andrews <marka at isc.org> wrote:
>
> >
> > Now for them to use EDNS compliant nameservers. How hard is it to
> > check that your nameservers actually follow the EDNS protocol.
> >
> > harveynorman.com.au @40.90.4.5 (ns1-05.azure-dns.com.): dns=ok edns=ok
> > edns1=status edns at 512=ok ednsopt=echoed edns1opt=status do=ok
> > ednsflags=ok edns at 512tcp=ok optlist=subnet
> > harveynorman.com.au @64.4.48.5 (ns2-05.azure-dns.net.): dns=ok edns=ok
> > edns1=status edns at 512=ok ednsopt=echoed edns1opt=status do=ok
> > ednsflags=ok edns at 512tcp=ok optlist=subnet
> > harveynorman.com.au @13.107.24.5 (ns3-05.azure-dns.org.): dns=ok edns=ok
> > edns1=status edns at 512=ok ednsopt=echoed edns1opt=status do=ok
> > ednsflags=ok edns at 512tcp=ok optlist=subnet
> > harveynorman.com.au @13.107.160.5 (ns4-05.azure-dns.info.): dns=ok
> > edns=ok edns1=status edns at 512=ok ednsopt=echoed edns1opt=status do=ok
> > ednsflags=ok edns at 512tcp=ok optlist=subnet
> >
> > There are only 3 possible extension mechanisms and all 3 have
> > instuctions on how to handle requests using those extension mechanisms
> > that you don't know about. See RFC 6891.
> >
> > EDNS version increase -> return BADVERS with the highest version you
> > support
> > EDNS option -> ignore options you do not understand (don't copy them into
> > the response)
> > EDNS flags -> ignore flags you do not understand (don't copy them into the
> > response)
> >
> > This misbehaviour already means that it has become impossible to
> > count how many servers support the ECS option.
> >
> > Please check your servers to ensure that they are EDNS compliant
> > and if they are not FIX them. Only 60% of Australian DNS servers
> > that nominally support EDNS are actually EDNS compliant.
> >
> > https://ednscomp.isc.org/ednscomp/
> >
> > Two of the extension mechanisms are in use today. Queries from
> > recursive servers do have EDNS options present and they do have
> > EDNS flag bits set. There is zero reason not to expect all three
> > extension mechanism will be used in the future.
> >
> > Only idiots drop DNS queries with EDNS extension present. Even the
> > firewall vendors are removing code that does so. EDNS was designed
> > to allow clients to start using now options, flags and versions
> > without having to upgrade the servers and if you DNS server is EDNS
> > compliant they will cause you no harm.
> >
> > Just because a EDNS option, flag or version is defined, it doesn't
> > mean you have to support it. You do however need to correctly
> > respond to it.
> >
> > Mark
> >
> > In message <CAGq70SK5PmEXTnMqa0Ukt6NDjJ4qBk9p6XBRzZH=2TwGn3-JRA at mail.
> > gmail.com>, Russell Langton writes:
> > >
> > > Hi All,
> > >
> > > Saw this the other day;
> > >
> > > https://azure.microsoft.com/en-us/blog/azure-networking-
> > announcements-for-ignite-2016/
> > >
> > > "Azure now supports Native IPv6 network connectivity for applications and
> > > services hosted on Azure Virtual Machines. The demand for IPv6 has never
> > > been greater with the explosive growth in mobile devices, billions of
> > > Internet of Things (IOT) devices entering the market, along with new
> > > compliance regulations. IPv6 has been used by internal Microsoft services
> > > such as Office 365 for over three years. We are now offering this feature
> > > to all Azure customers. Native IPv6 connectivity to the virtual machine
> > is
> > > available for both Windows and Linux VMs."
> > >
> > > There is a linked page about further details about the load-balancing.
> > --
> > Mark Andrews, ISC
> > 1 Seymour St., Dundas Valley, NSW 2117, Australia
> > PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
> > _______________________________________________
> > AusNOG mailing list
> > AusNOG at lists.ausnog.net
> > http://lists.ausnog.net/mailman/listinfo/ausnog
> >
> >
>
> --001a114e6e92112d61053d9b580f
> Content-Type: text/html; charset=UTF-8
> Content-Transfer-Encoding: quoted-printable
>
> <div dir=3D"ltr"><div><div><div><div><div><div><div><div><div><div><div>Hi =
> Mark,<br><br></div>I generally ignore your emails since they always seem to=
> hijack other threads.<br></div><br>Worse they focus on details not pertine=
> nt to the original thread.<br><br></div>In this case, I thought I'd che=
> ck out the link and give you some feedback about it:<br><br></div>=C2=A0- W=
> hy is the design stuck in the '90s? It is the 21st century already.<br>=
> </div><div>=C2=A0- Where is the explanation of *WHY* this is a useful thing=
> to check. Everyone knows you like to write emails but do you really want t=
> o be repeating yourself every time?<br></div>=C2=A0- Why can't the web =
> page explain LDH (I know what it means, but who else here does? HTML has ha=
> d <abbr> since forever )<br></div>=C2=A0- Colour. It is a thing. Why =
> can't you use it to output red/orange/green.<br></div>=C2=A0- Speed. 10=
> seconds to check <a href=3D"http://isc.org">isc.org</a>?! Again, 21st cent=
> ury and all that. <br></div>=C2=A0- Why isn't there an example of a *go=
> od* domain? (e.g. <a href=3D"http://isc.org">isc.org</a>, <other promine=
> nt organisations>)<br></div>=C2=A0- Why not use the HTML5 placeholder at=
> tribute? It has been standardised for longer than the EDNS rfc.<br><br></di=
> v><div>I am sure I could nitpick a bunch of other, unrelated things as well=
> .<br><br></div>Thanks,<br></div>Anand<br><div><div><div><div><div><div><div=
> ><div><div>=C2=A0<br><br></div></div></div></div></div></div></div></div></=
> div></div><div class=3D"gmail_extra"><br><div class=3D"gmail_quote">On 29 S=
> eptember 2016 at 09:26, Mark Andrews <span dir=3D"ltr"><<a href=3D"mailt=
> o:marka at isc.org" target=3D"_blank">marka at isc.org</a>></span> wrote:<br><=
> blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px=
> #ccc solid;padding-left:1ex"><br>
> Now for them to use EDNS compliant nameservers.=C2=A0 How hard is it to<br>
> check that your nameservers actually follow the EDNS protocol.<br>
> <br>
> <a href=3D"http://harveynorman.com.au" rel=3D"noreferrer" target=3D"_blank"=
> >harveynorman.com.au</a> @<a href=3D"http://40.90.4.5" rel=3D"noreferrer" t=
> arget=3D"_blank">40.90.4.5</a> (ns1-05.azure-dns.com.): dns=3Dok edns=3Dok =
> edns1=3Dstatus edns at 512=3Dok ednsopt=3Dechoed edns1opt=3Dstatus do=3Dok edn=
> sflags=3Dok edns at 512tcp=3Dok optlist=3Dsubnet<br>
> <a href=3D"http://harveynorman.com.au" rel=3D"noreferrer" target=3D"_blank"=
> >harveynorman.com.au</a> @<a href=3D"http://64.4.48.5" rel=3D"noreferrer" t=
> arget=3D"_blank">64.4.48.5</a> (ns2-05.azure-dns.net.): dns=3Dok edns=3Dok =
> edns1=3Dstatus edns at 512=3Dok ednsopt=3Dechoed edns1opt=3Dstatus do=3Dok edn=
> sflags=3Dok edns at 512tcp=3Dok optlist=3Dsubnet<br>
> <a href=3D"http://harveynorman.com.au" rel=3D"noreferrer" target=3D"_blank"=
> >harveynorman.com.au</a> @<a href=3D"http://13.107.24.5" rel=3D"noreferrer"=
> target=3D"_blank">13.107.24.5</a> (ns3-05.azure-dns.org.): dns=3Dok edns=
> =3Dok edns1=3Dstatus edns at 512=3Dok ednsopt=3Dechoed edns1opt=3Dstatus do=3D=
> ok ednsflags=3Dok edns at 512tcp=3Dok optlist=3Dsubnet<br>
> <a href=3D"http://harveynorman.com.au" rel=3D"noreferrer" target=3D"_blank"=
> >harveynorman.com.au</a> @<a href=3D"http://13.107.160.5" rel=3D"noreferrer=
> " target=3D"_blank">13.107.160.5</a> (ns4-05.azure-dns.info.): dns=3Dok edn=
> s=3Dok edns1=3Dstatus edns at 512=3Dok ednsopt=3Dechoed edns1opt=3Dstatus do=
> =3Dok ednsflags=3Dok edns at 512tcp=3Dok optlist=3Dsubnet<br>
> <br>
> There are only 3 possible extension mechanisms and all 3 have<br>
> instuctions on how to handle requests using those extension mechanisms<br>
> that you don't know about.=C2=A0 See RFC 6891.<br>
> <br>
> EDNS version increase -> return BADVERS with the highest version you sup=
> port<br>
> EDNS option -> ignore options you do not understand (don't copy them=
> into the response)<br>
> EDNS flags -> ignore flags you do not understand (don't copy them in=
> to the response)<br>
> <br>
> This misbehaviour already means that it has become impossible to<br>
> count how many servers support the ECS option.<br>
> <br>
> Please check your servers to ensure that they are EDNS compliant<br>
> and if they are not FIX them.=C2=A0 Only 60% of Australian DNS servers<br>
> that nominally support EDNS are actually EDNS compliant.<br>
> <br>
> <a href=3D"https://ednscomp.isc.org/ednscomp/" rel=3D"noreferrer" target=3D=
> "_blank">https://ednscomp.isc.org/<wbr>ednscomp/</a><br>
> <br>
> Two of the extension mechanisms are in use today.=C2=A0 Queries from<br>
> recursive servers do have EDNS options present and they do have<br>
> EDNS flag bits set.=C2=A0 There is zero reason not to expect all three<br>
> extension mechanism will be used in the future.<br>
> <br>
> Only idiots drop DNS queries with EDNS extension present.=C2=A0 Even the<br=
> >
> firewall vendors are removing code that does so.=C2=A0 EDNS was designed<br=
> >
> to allow clients to start using now options, flags and versions<br>
> without having to upgrade the servers and if you DNS server is EDNS<br>
> compliant they will cause you no harm.<br>
> <br>
> Just because a EDNS option, flag or version is defined, it doesn't<br>
> mean you have to support it.=C2=A0 You do however need to correctly<br>
> respond to it.<br>
> <br>
> Mark<br>
> <div class=3D"HOEnZb"><div class=3D"h5"><br>
> In message <<wbr>CAGq70SK5PmEXTnMqa0Ukt6NDjJ4qB<wbr>k9p6XBRzZH=3D<a href=
> =3D"mailto:2TwGn3-JRA at mail.gmail.com">2TwGn3-JRA at mail.<wbr>gmail.com</a>>=
> ;, Russell Langton writes:<br>
> ><br>
> > Hi All,<br>
> ><br>
> > Saw this the other day;<br>
> ><br>
> > <a href=3D"https://azure.microsoft.com/en-us/blog/azure-networking-ann=
> ouncements-for-ignite-2016/" rel=3D"noreferrer" target=3D"_blank">https://a=
> zure.microsoft.com/<wbr>en-us/blog/azure-networking-<wbr>announcements-for-=
> ignite-2016/</a><br>
> ><br>
> > "Azure now supports Native IPv6 network connectivity for applicat=
> ions and<br>
> > services hosted on Azure Virtual Machines. The demand for IPv6 has nev=
> er<br>
> > been greater with the explosive growth in mobile devices, billions of<=
> br>
> > Internet of Things (IOT) devices entering the market, along with new<b=
> r>
> > compliance regulations. IPv6 has been used by internal Microsoft servi=
> ces<br>
> > such as Office 365 for over three years. We are now offering this feat=
> ure<br>
> > to all Azure customers. Native IPv6 connectivity to the virtual machin=
> e is<br>
> > available for both Windows and Linux VMs."<br>
> ><br>
> > There is a linked page about further details about the load-balancing.=
> <br>
> </div></div><span class=3D"HOEnZb"><font color=3D"#888888">--<br>
> Mark Andrews, ISC<br>
> 1 Seymour St., Dundas Valley, NSW 2117, Australia<br>
> PHONE: <a href=3D"tel:%2B61%202%209871%204742" value=3D"+61298714742">+61 2=
> 9871 4742</a>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
> =A0INTERNET: <a href=3D"mailto:marka at isc.org">marka at isc.org</a><br>
> ______________________________<wbr>_________________<br>
> AusNOG mailing list<br>
> <a href=3D"mailto:AusNOG at lists.ausnog.net">AusNOG at lists.ausnog.net</a><br>
> <a href=3D"http://lists.ausnog.net/mailman/listinfo/ausnog" rel=3D"noreferr=
> er" target=3D"_blank">http://lists.ausnog.net/<wbr>mailman/listinfo/ausnog<=
> /a><br>
> <br>
> </font></span></blockquote></div><br></div>
>
> --001a114e6e92112d61053d9b580f--
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the AusNOG
mailing list