edns compliance
play

EDNS Compliance Mark Andrews marka@isc.org Motivation Deployed - PowerPoint PPT Presentation

EDNS Compliance Mark Andrews marka@isc.org Motivation Deployed Experimental Version of DNS COOKIES (SIT) in BIND 9.10.0 Lookups for various zones failed due to mis-implemention of EDNS Trial and Error Takes time especially when requests


  1. EDNS Compliance Mark Andrews marka@isc.org

  2. Motivation Deployed Experimental Version of DNS COOKIES (SIT) in BIND 9.10.0 Lookups for various zones failed due to mis-implemention of EDNS

  3. Trial and Error Takes time especially when requests are dropped New EDNS option are not the only EDNS extensions people are wishing to use. Decided to see what mis-behaviour is out there.

  4. DataSets ● Root and TLD servers ● Alexa Top 1000 ● Alexa Bottom 1000 of Top 1Million ● GOV servers from Alexa Top 1Million ● AU servers from Alexa Top 1Million

  5. Methodology dig +norec +noedns soa zone @server dig +norec +edns=0 soa zone @server dig +norec +edns=1 +noednsneg soa zone @server dig +norec +ednsopt=100 soa zone @server dig +norec +ednsflags=0x80 soa zone @server dig +norec +dnssec soa zone @server dig +norec +dnssec +bufsize=512 +ignore dnskey zone @server dig +norec +edns=1 +noednsneg +ednsopt=100 soa zone @server

  6. Faults Detected 1/2 ● OPT only returned when DO=1 is present in the request ● BADVER not returned to EDNS (1) ● NOTIMP returned when a EDNS option is present ● FORMERR returned when a EDNS option is present ● BADVERS returned when a EDNS option is present ● NOTIMP returned when a EDNS Z flag is present ● FORMERR returned when a EDNS Z flag is present ● BADVERS returned when a EDNS Z flag is present ● EDNS option echoed back

  7. Faults Detected 2/2 ● OPT not returned in truncated response ● EDNS (1) queries being dropped ● EDNS queries with a Z bit being dropped ● EDNS Z bits in queries echoed back ● TCP response size limited to EDNS UPD response size ● Truncated UDP response when send when response will not fit ● Fragmented responses being blocked ● DO=1 not returned by DNSSEC aware servers

  8. EDNS Aware Servers - 18 Mar 2015 100 EDNS Aware 99.63 98.01 95.8 95.73 88.64 75 50 % 25 0 TLD Top Bottom GOV AU Data Subset

  9. EDNS Compliance Report: 2015-03-19T05:19:26Z Percentage of responding servers that are EDNS aware 100 Root and TLD Servers Alexa Top 1000 Servers 95 Alexa Bottom 1000 Servers Alexa .GOV Servers 90 Alexa .AU Servers 85 80 Sep 2014 Oct 2014 Nov 2014 Dec 2014 Jan 2015 Feb 2015 Mar 2015 A EDNS aware server is one which returns a EDNS response to at least one of the test queries. A active server is one which returns a response to one of the test queries. Inactive servers are discarded when calculating the EDNS aware percentages. 2014-09-11: Cloudflare replaced server software which only returned a EDNS response when DO was set to one in the request to a server which ignores EDNS in the request. 2014-10-10: Stopped setting AD=1 in test queries. 2014-10-29: Cloudflare restored EDNS support.

  10. EDNS Compliance by Function - 18 Mar 2015 100 EDNS 0 Truncated Response DNSSEC 75 Unknown Option Unknown Flag EDNS 1 50 % Fully Compliant 25 0 TLD Top Bottom GOV AU Data Subset

  11. EDNS Compliance Report: 2015-03-19T07:46:51Z Percentage of EDNS aware servers that passed all EDNS compliance tests 100 Root and TLD Servers Alexa Top 1000 90 Servers Alexa Bottom 1000 Servers 80 Alexa .GOV Servers Alexa .AU 70 Servers 60 50 Sep 2014 Oct 2014 Nov 2014 Dec 2014 Jan 2015 Feb 2015 Mar 2015

  12. EDNS Compliance Report: 2015-03-19T05:19:26Z Percentage of EDNS aware servers that handled unknown EDNS(0) options correctly 100 Root and TLD Servers Alexa Top 1000 Servers 95 Alexa Bottom 1000 Servers Alexa .GOV Servers 90 Alexa .AU Servers 85 80 Sep 2014 Oct 2014 Nov 2014 Dec 2014 Jan 2015 Feb 2015 Mar 2015 ( dig +ednsopt=100 +norec soa $zone @$server ) expect: status: NOERROR expect: SOA record to be present expect: OPT record to be present expect: OPT=100 to not be present See RFC6891, 6.1.2 Wire Format

  13. EDNS Compliance Report: 2015-03-19T07:46:51Z Percentage of EDNS aware servers that handled unknown EDNS(1) options correctly 100 Root and TLD Servers Alexa Top 1000 Servers 90 Alexa Bottom 1000 Servers Alexa .GOV 80 Servers Alexa .AU Servers 70 60 Sep 2014 Oct 2014 Nov 2014 Dec 2014 Jan 2015 Feb 2015 Mar 2015 ( dig +ednsopt=100 +edns=1 +norec soa $zone @$server ) expect: status: BADVERS expect: SOA record to NOT be present expect: OPT record to be present expect: OPT=100 to not be present expect: EDNS Version 0 in response See RFC6891

  14. EDNS Response Rate by Function - 18 Mar 2015 100 EDNS 0 Truncated Response DNSSEC 75 Unknown Option Unknown Flag EDNS 1 50 % 25 0 TLD Top Bottom GOV AU Data Subset

  15. EDNS Compliance Report: 2015-03-19T05:19:26Z Percentage of responding servers that responded to a EDNS(0) request with a unknown option 100 Root and TLD Servers Alexa Top 1000 Servers 98 Alexa Bottom 1000 Servers Alexa .GOV Servers 96 Alexa .AU Servers 94 92 Sep 2014 Oct 2014 Nov 2014 Dec 2014 Jan 2015 Feb 2015 Mar 2015

  16. EDNS Compliance Report: 2015-03-19T05:19:26Z Percentage of responding servers that responded to a plain EDNS(1) request 100 Root and TLD Servers Alexa Top 1000 Servers 94 Alexa Bottom 1000 Servers Alexa .GOV Servers 88 Alexa .AU Servers 82 76 Sep 2014 Oct 2014 Nov 2014 Dec 2014 Jan 2015 Feb 2015 Mar 2015 2014-10-12 - 2014-10-15: Domaincontrol removed the firewall blocking EDNS version 1 and EDNS flags.

  17. EDNS Compliance Report: 2015-03-19T05:19:26Z Percentage of responding servers that responded to a EDNS(0) request with a unknown flags 100.0 Root and TLD Servers Alexa Top 1000 Servers 97.5 Alexa Bottom 1000 Servers Alexa .GOV Servers 95.0 Alexa .AU Servers 92.5 90.0 Sep 2014 Oct 2014 Nov 2014 Dec 2014 Jan 2015 Feb 2015 Mar 2015 2014-10-12 - 2014-10-15: Domaincontrol removed the firewall blocking EDNS version 1 and EDNS flags.

  18. EDNS Compliance Report: 2015-03-19T05:19:26Z Root and TLD EDNS(1) Failure Reasons 10.0 refused,version timeout soa status 7.5 status,version, soa version 5.0 status,version status,soa 2.5 0.0 Sep 2014 Oct 2014 Nov 2014 Dec 2014 Jan 2015 Feb 2015 Mar 2015

  19. EDNS Compliance Report: 2015-03-19T05:19:26Z Root and TLD EDNS(0) Unknown Flags Failure Reasons 10.0 version mbz timeout nosoa 7.5 servfail,nosoa status,version, nosoa 5.0 refused,nosoa 2.5 0.0 Sep 2014 Oct 2014 Nov 2014 Dec 2014 Jan 2015 Feb 2015 Mar 2015 2014-09-14: operators returning unknown flags informed.

  20. EDNS Compliance Report: 2015-03-19T05:19:26Z Root and TLD EDNS(0) Unknown Option Failure Reasons 1.2 badvers,nosoa timeout status,echoed badvers 0.9 formerr,echoed, nosoa servfail 0.6 status,version version status 0.3 formerr,echoed nosoa status,version,… servfail,nosoa 0.0 Sep 2014 Oct 2014 Nov 2014 Dec 2014 Jan 2015 Feb 2015 Mar 2015

  21. EDNS Compliance Report: 2015-03-19T05:19:26Z Root and TLD Firewalls by Type 10.0 EDNS(1) EDNS(0) EDNS opt EDNS opt + 7.5 EDNS(1) Combined EDNS opt + 5.0 FLAGS EDNS(1) + FLAGS EDNS opt + 2.5 EDNS(1) + FLAGS 0.0 Sep 2014 Oct 2014 Nov 2014 Dec 2014 Jan 2015 Feb 2015 Mar 2015 EDNS(0) all EDNS queries have timeout and there was a response to the plain DNS query EDNS(1) only the two EDNS version 1 queries timeout EDNS(1) + FLAGS the two EDNS version 1 queries timeout as well as the unknown EDNS flags query

  22. Where Next ● Extend draft-andrews-no-response-issue (Working group adoption?) ● Contact Firewall Vendors ● Contact Nameserver Vendors ● Contact Zone Owners / DNS hosters ● Convince TLD/SLD operators to run regular checks ● Add to online DNS checkers.

  23. TLDs already involved SWITCH – CH and LI .IE

  24. More Information ● http://users.isc.org/~marka/ts.html ● http://users.isc.org/~marka/tld-report.html ● http://users.isc.org/~marka/gov-report.html ● http://users.isc.org/~marka/au-report.html ● http://users.isc.org/~marka/alexa-report.html ● http://users.isc.org/~marka/bottom-report.html ● https://source.isc.org

Recommend


More recommend