draft-ietf-dnsop-no-response-issue-10.txt   draft-ietf-dnsop-no-response-issue-11.txt 
Network Working Group M. Andrews Network Working Group M. Andrews
Internet-Draft R. Bellis Internet-Draft R. Bellis
Intended status: Best Current Practice ISC Intended status: Best Current Practice ISC
Expires: January 21, 2019 July 20, 2018 Expires: January 28, 2019 July 27, 2018
A Common Operational Problem in DNS Servers - Failure To Respond. A Common Operational Problem in DNS Servers - Failure To Respond.
draft-ietf-dnsop-no-response-issue-10 draft-ietf-dnsop-no-response-issue-11
Abstract Abstract
The DNS is a query / response protocol. Failing to respond to The DNS is a query / response protocol. Failing to respond to
queries, or responding incorrectly, causes both immediate operational queries, or responding incorrectly, causes both immediate operational
problems and long term problems with protocol development. problems and long term problems with protocol development.
This document identifies a number of common kinds of queries to which This document identifies a number of common kinds of queries to which
some servers either fail to respond or else respond incorrectly. some servers either fail to respond or else respond incorrectly.
This document also suggests procedures for TLD and other zone This document also suggests procedures for TLD and other zone
skipping to change at page 1, line 40 skipping to change at page 1, line 40
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 21, 2019. This Internet-Draft will expire on January 28, 2019.
Copyright Notice Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 29 skipping to change at page 2, line 29
3.1.3. DNS Flags . . . . . . . . . . . . . . . . . . . . . . 6 3.1.3. DNS Flags . . . . . . . . . . . . . . . . . . . . . . 6
3.1.4. Unknown DNS opcodes . . . . . . . . . . . . . . . . . 6 3.1.4. Unknown DNS opcodes . . . . . . . . . . . . . . . . . 6
3.1.5. Recursive Queries . . . . . . . . . . . . . . . . . . 6 3.1.5. Recursive Queries . . . . . . . . . . . . . . . . . . 6
3.1.6. TCP Queries . . . . . . . . . . . . . . . . . . . . . 6 3.1.6. TCP Queries . . . . . . . . . . . . . . . . . . . . . 6
3.2. EDNS Queries . . . . . . . . . . . . . . . . . . . . . . 6 3.2. EDNS Queries . . . . . . . . . . . . . . . . . . . . . . 6
3.2.1. EDNS Queries - Version Independent . . . . . . . . . 7 3.2.1. EDNS Queries - Version Independent . . . . . . . . . 7
3.2.2. EDNS Queries - Version Specific . . . . . . . . . . . 7 3.2.2. EDNS Queries - Version Specific . . . . . . . . . . . 7
3.2.3. EDNS Options . . . . . . . . . . . . . . . . . . . . 7 3.2.3. EDNS Options . . . . . . . . . . . . . . . . . . . . 7
3.2.4. EDNS Flags . . . . . . . . . . . . . . . . . . . . . 7 3.2.4. EDNS Flags . . . . . . . . . . . . . . . . . . . . . 7
3.2.5. Truncated EDNS Responses . . . . . . . . . . . . . . 8 3.2.5. Truncated EDNS Responses . . . . . . . . . . . . . . 8
3.2.6. DO Bit Handling . . . . . . . . . . . . . . . . . . . 8 3.2.6. DO=1 Handling . . . . . . . . . . . . . . . . . . . . 8
3.2.7. EDNS over TCP . . . . . . . . . . . . . . . . . . . . 8 3.2.7. EDNS over TCP . . . . . . . . . . . . . . . . . . . . 8
4. Firewalls and Load Balancers . . . . . . . . . . . . . . . . 8 4. Firewalls and Load Balancers . . . . . . . . . . . . . . . . 8
5. Scrubbing Services . . . . . . . . . . . . . . . . . . . . . 9 5. Scrubbing Services . . . . . . . . . . . . . . . . . . . . . 9
6. Whole Answer Caches . . . . . . . . . . . . . . . . . . . . . 10 6. Whole Answer Caches . . . . . . . . . . . . . . . . . . . . . 10
7. Response Code Selection . . . . . . . . . . . . . . . . . . . 10 7. Response Code Selection . . . . . . . . . . . . . . . . . . . 10
8. Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 8. Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
8.1. Testing - Basic DNS . . . . . . . . . . . . . . . . . . . 11 8.1. Testing - Basic DNS . . . . . . . . . . . . . . . . . . . 11
8.1.1. Is The Server Configured For The Zone? . . . . . . . 11 8.1.1. Is The Server Configured For The Zone? . . . . . . . 11
8.1.2. Testing Unknown Types . . . . . . . . . . . . . . . . 11 8.1.2. Testing Unknown Types . . . . . . . . . . . . . . . . 11
8.1.3. Testing Header Bits . . . . . . . . . . . . . . . . . 12 8.1.3. Testing Header Bits . . . . . . . . . . . . . . . . . 12
8.1.4. Testing Unknown Opcodes . . . . . . . . . . . . . . . 13 8.1.4. Testing Unknown Opcodes . . . . . . . . . . . . . . . 14
8.1.5. Testing Recursive Queries . . . . . . . . . . . . . . 14 8.1.5. Testing Recursive Queries . . . . . . . . . . . . . . 14
8.1.6. Testing TCP . . . . . . . . . . . . . . . . . . . . . 14 8.1.6. Testing TCP . . . . . . . . . . . . . . . . . . . . . 14
8.2. Testing - Extended DNS . . . . . . . . . . . . . . . . . 15 8.2. Testing - Extended DNS . . . . . . . . . . . . . . . . . 15
8.2.1. Testing Minimal EDNS . . . . . . . . . . . . . . . . 15 8.2.1. Testing Minimal EDNS . . . . . . . . . . . . . . . . 15
8.2.2. Testing EDNS Version Negotiation . . . . . . . . . . 16 8.2.2. Testing EDNS Version Negotiation . . . . . . . . . . 16
8.2.3. Testing Unknown EDNS Options . . . . . . . . . . . . 16 8.2.3. Testing Unknown EDNS Options . . . . . . . . . . . . 16
8.2.4. Testing Unknown EDNS Flags . . . . . . . . . . . . . 17 8.2.4. Testing Unknown EDNS Flags . . . . . . . . . . . . . 17
8.2.5. Testing EDNS Version Negotiation With Unknown EDNS 8.2.5. Testing EDNS Version Negotiation With Unknown EDNS
Flags . . . . . . . . . . . . . . . . . . . . . . . . 18 Flags . . . . . . . . . . . . . . . . . . . . . . . . 18
8.2.6. Testing EDNS Version Negotiation With Unknown EDNS 8.2.6. Testing EDNS Version Negotiation With Unknown EDNS
Options . . . . . . . . . . . . . . . . . . . . . . . 18 Options . . . . . . . . . . . . . . . . . . . . . . . 19
8.2.7. Testing Truncated Responses . . . . . . . . . . . . . 19 8.2.7. Testing Truncated Responses . . . . . . . . . . . . . 19
8.2.8. Testing DNSSEC Queries . . . . . . . . . . . . . . . 19 8.2.8. Testing DO=1 Handling . . . . . . . . . . . . . . . . 20
8.2.9. Testing EDNS Version Negotiation With DNSSEC . . . . 20 8.2.9. Testing EDNS Version Negotiation With DO=1 . . . . . 20
8.2.10. Testing With Multiple Defined EDNS Options . . . . . 21 8.2.10. Testing With Multiple Defined EDNS Options . . . . . 21
8.3. When EDNS Is Not Supported . . . . . . . . . . . . . . . 21 8.3. When EDNS Is Not Supported . . . . . . . . . . . . . . . 21
9. Remediation . . . . . . . . . . . . . . . . . . . . . . . . . 22 9. Remediation . . . . . . . . . . . . . . . . . . . . . . . . . 22
10. Security Considerations . . . . . . . . . . . . . . . . . . . 23 10. Security Considerations . . . . . . . . . . . . . . . . . . . 23
11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 23 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 23
12. References . . . . . . . . . . . . . . . . . . . . . . . . . 23 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 23
12.1. Normative References . . . . . . . . . . . . . . . . . . 23 12.1. Normative References . . . . . . . . . . . . . . . . . . 23
12.2. Informative References . . . . . . . . . . . . . . . . . 24 12.2. Informative References . . . . . . . . . . . . . . . . . 24
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 25 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 25
skipping to change at page 8, line 14 skipping to change at page 8, line 14
3.2.5. Truncated EDNS Responses 3.2.5. Truncated EDNS Responses
Some EDNS aware servers fail to include an OPT record when a Some EDNS aware servers fail to include an OPT record when a
truncated response is sent. An OPT record is supposed to be included truncated response is sent. An OPT record is supposed to be included
in a truncated response [RFC6891]. in a truncated response [RFC6891].
Some EDNS aware server fail to honour the advertised EDNS buffer size Some EDNS aware server fail to honour the advertised EDNS buffer size
and send over-sized responses. and send over-sized responses.
3.2.6. DO Bit Handling 3.2.6. DO=1 Handling
Some nameservers incorrectly only return a EDNS response when the DO Some nameservers incorrectly only return an EDNS response when the DO
bit is present in the query. Additionally some nameservers fail to bit [RFC3225] is 1 in the query. Additionally some nameservers fail
copy the DO bit to the response despite clearly supporting DNSSEC by to copy the DO bit to the response despite clearly supporting DNSSEC
returning RRSIG records to EDNS queries with the DO bit set. by returning an RRSIG records to EDNS queries with DO=1.
3.2.7. EDNS over TCP 3.2.7. EDNS over TCP
Some EDNS aware servers incorrectly limit the TCP response sizes to Some EDNS aware servers incorrectly limit the TCP response sizes to
the advertised UDP response size. the advertised UDP response size.
4. Firewalls and Load Balancers 4. Firewalls and Load Balancers
Firewalls and load balancers can affect the externally visible Firewalls and load balancers can affect the externally visible
behaviour of a nameserver. Tests for conformance should to be done behaviour of a nameserver. Tests for conformance should to be done
skipping to change at page 11, line 5 skipping to change at page 11, line 5
ignored [RFC6891]. ignored [RFC6891].
8. Testing 8. Testing
Testing is divided into two sections. "Basic DNS", which all servers Testing is divided into two sections. "Basic DNS", which all servers
should meet, and "Extended DNS", which should be met by all servers should meet, and "Extended DNS", which should be met by all servers
that support EDNS (a server is deemed to support EDNS if it gives a that support EDNS (a server is deemed to support EDNS if it gives a
valid EDNS response to any EDNS query). If a server does not support valid EDNS response to any EDNS query). If a server does not support
EDNS it should still respond to all the tests. EDNS it should still respond to all the tests.
These tests query for records at the apex of a zone that the server
is nominally configured to serve. All tests should use the same
zone.
It is advisable to run all of the tests below in parallel so as to It is advisable to run all of the tests below in parallel so as to
minimise the delays due to multiple timeouts when the servers do not minimise the delays due to multiple timeouts when the servers do not
respond. There are 16 queries directed to each nameserver (assuming respond. There are 16 queries directed to each nameserver (assuming
no packet loss) testing different aspects of Basic DNS and Extended no packet loss) testing different aspects of Basic DNS and Extended
DNS. DNS.
The tests below use dig from BIND 9.11.0. The tests below use dig from BIND 9.11.0.
8.1. Testing - Basic DNS 8.1. Testing - Basic DNS
This first set of tests cover basic DNS server behaviour and all This first set of tests cover basic DNS server behaviour and all
servers should pass these tests. servers should pass these tests.
8.1.1. Is The Server Configured For The Zone? 8.1.1. Is The Server Configured For The Zone?
Ask for the SOA record of the zone the server is nominally configured Ask for the SOA record of the configured zone. This query is made
to serve. This query is made with no DNS flag bits set and without with no DNS flag bits set and without EDNS.
EDNS.
We expect the SOA record for the zone to be returned in the answer We expect the SOA record for the zone to be returned in the answer
section with the rcode set to NOERROR and the AA and QR bits to be section with the rcode set to NOERROR and the AA and QR bits to be
set in the response, RA may also be set [RFC1034]. We do not expect set in the response; RA may also be set [RFC1034]. We do not expect
an OPT record to be returned [RFC6891]. an OPT record to be returned [RFC6891].
Verify the server is configured for the zone: Verify the server is configured for the zone:
dig +noedns +noad +norec soa $zone @$server dig +noedns +noad +norec soa $zone @$server
expect: status: NOERROR expect: status: NOERROR
expect: the SOA record to be present in the answer section expect: the SOA record to be present in the answer section
expect: flag: aa to be present expect: flag: aa to be present
expect: flag: rd to NOT be present expect: flag: rd to NOT be present
expect: flag: ad to NOT be present expect: flag: ad to NOT be present
expect: the OPT record to NOT be present expect: the OPT record to NOT be present
8.1.2. Testing Unknown Types 8.1.2. Testing Unknown Types
Ask for the TYPE1000 record at the zone's name. This query is made Ask for the TYPE1000 record at the configured zone's name. This
with no DNS flag bits set and without EDNS. TYPE1000 has been chosen query is made with no DNS flag bits set and without EDNS. TYPE1000
for this purpose as IANA is unlikely to allocate this type in the has been chosen for this purpose as IANA is unlikely to allocate this
near future and it is not in a range reserved for private use type in the near future and it is not in a range reserved for private
[RFC6895]. use [RFC6895].
We expect no records to be returned in the answer section with the We expect no records to be returned in the answer section with the
rcode set to NOERROR and the AA and QR bits to be set in the rcode set to NOERROR and the AA and QR bits to be set in the
response. RA may also be set [RFC1034]. We do not expect an OPT response; RA may also be set [RFC1034]. We do not expect an OPT
record to be returned [RFC6891]. record to be returned [RFC6891].
Check that queries for an unknown type work: Check that queries for an unknown type work:
dig +noedns +noad +norec type1000 $zone @$server dig +noedns +noad +norec type1000 $zone @$server
expect: status: NOERROR expect: status: NOERROR
expect: an empty answer section. expect: an empty answer section.
expect: flag: aa to be present expect: flag: aa to be present
expect: flag: rd to NOT be present expect: flag: rd to NOT be present
expect: flag: ad to NOT be present expect: flag: ad to NOT be present
expect: the OPT record to NOT be present expect: the OPT record to NOT be present
8.1.3. Testing Header Bits 8.1.3. Testing Header Bits
8.1.3.1. Testing CD=1 Queries 8.1.3.1. Testing CD=1 Queries
Ask for the SOA record of the zone the server is nominally configured Ask for the SOA record of the configured zone. This query is made
to serve. This query is made with only the CD DNS flag bit set and with only the CD DNS flag bit set and all other DNS bits clear and
all other DNS bits clear and without EDNS. without EDNS.
We expect the SOA record for the zone to be returned in the answer We expect the SOA record for the zone to be returned in the answer
section with the rcode set to NOERROR and the AA and QR bits to be section with the rcode set to NOERROR and the AA and QR bits to be
set in the response. We do not expect an OPT record to be returned. set in the response. We do not expect an OPT record to be returned.
If the server supports DNSSEC, CD should be set in the response If the server supports DNSSEC, CD should be set in the response
[RFC4035] otherwise CD should be clear [RFC1034]. [RFC4035] otherwise CD should be clear [RFC1034].
Check that queries with CD=1 work: Check that queries with CD=1 work:
skipping to change at page 12, line 44 skipping to change at page 12, line 46
expect: status: NOERROR expect: status: NOERROR
expect: the SOA record to be present in the answer section expect: the SOA record to be present in the answer section
expect: flag: aa to be present expect: flag: aa to be present
expect: flag: rd to NOT be present expect: flag: rd to NOT be present
expect: flag: ad to NOT be present expect: flag: ad to NOT be present
expect: the OPT record to NOT be present expect: the OPT record to NOT be present
8.1.3.2. Testing AD=1 Queries 8.1.3.2. Testing AD=1 Queries
Ask for the SOA record of the zone the server is nominally configured Ask for the SOA record of the configured zone. This query is made
to serve. This query is made with only the AD DNS flag bit set and with only the AD DNS flag bit set and all other DNS bits clear and
all other DNS bits clear and without EDNS. without EDNS.
We expect the SOA record for the zone to be returned in the answer We expect the SOA record for the zone to be returned in the answer
section with the rcode set to NOERROR and the AA and QR bits to be section with the rcode set to NOERROR and the AA and QR bits to be
set in the response. We do not expect an OPT record to be returned. set in the response. We do not expect an OPT record to be returned.
The purpose of this query is to detect blocking of queries with the The purpose of this query is to detect blocking of queries with the
AD bit present, not the specific value of AD in the response. AD bit present, not the specific value of AD in the response.
Check that queries with AD=1 work: Check that queries with AD=1 work:
dig +noedns +norec +ad soa $zone @$server dig +noedns +norec +ad soa $zone @$server
skipping to change at page 13, line 19 skipping to change at page 13, line 22
expect: status: NOERROR expect: status: NOERROR
expect: the SOA record to be present in the answer section expect: the SOA record to be present in the answer section
expect: flag: aa to be present expect: flag: aa to be present
expect: flag: rd to NOT be present expect: flag: rd to NOT be present
expect: the OPT record to NOT be present expect: the OPT record to NOT be present
AD use in queries is defined in [RFC6840]. AD use in queries is defined in [RFC6840].
8.1.3.3. Testing Reserved Bit 8.1.3.3. Testing Reserved Bit
Ask for the SOA record of the zone the server is nominally configured Ask for the SOA record of the configured zone. This query is made
to serve. This query is made with only the final reserved DNS flag with only the final reserved DNS flag bit set and all other DNS bits
bit set and all other DNS bits clear and without EDNS. clear and without EDNS.
We expect the SOA record for the zone to be returned in the answer We expect the SOA record for the zone to be returned in the answer
section with the rcode set to NOERROR and the AA and QR bits to be section with the rcode set to NOERROR and the AA and QR bits to be
set in the response, RA may be set. The final reserved bit must not set in the response; RA may be set. The final reserved bit must not
be set [RFC1034]. We do not expect an OPT record to be returned be set [RFC1034]. We do not expect an OPT record to be returned
[RFC6891]. [RFC6891].
Check that queries with the last unassigned DNS header flag work and Check that queries with the last unassigned DNS header flag work and
that the flag bit is not copied to the response: that the flag bit is not copied to the response:
dig +noedns +noad +norec +zflag soa $zone @$server dig +noedns +noad +norec +zflag soa $zone @$server
expect: status: NOERROR expect: status: NOERROR
expect: the SOA record to be present in the answer section expect: the SOA record to be present in the answer section
skipping to change at page 14, line 19 skipping to change at page 14, line 25
expect: status: NOTIMP expect: status: NOTIMP
expect: opcode: 15 expect: opcode: 15
expect: all sections to be empty expect: all sections to be empty
expect: flag: aa to NOT be present expect: flag: aa to NOT be present
expect: flag: rd to NOT be present expect: flag: rd to NOT be present
expect: flag: ad to NOT be present expect: flag: ad to NOT be present
expect: the OPT record to NOT be present expect: the OPT record to NOT be present
8.1.5. Testing Recursive Queries 8.1.5. Testing Recursive Queries
Ask for the SOA record of the zone the server is nominally configured Ask for the SOA record of the confgured zone. This query is made
to serve. This query is made with only the RD DNS flag bit set and with only the RD DNS flag bit set and without EDNS.
without EDNS.
We expect the SOA record for the zone to be returned in the answer We expect the SOA record for the zone to be returned in the answer
section with the rcode set to NOERROR and the AA, QR and RD bits to section with the rcode set to NOERROR and the AA, QR and RD bits to
be set in the response, RA may also be set [RFC1034]. We do not be set in the response; RA may also be set [RFC1034]. We do not
expect an OPT record to be returned [RFC6891]. expect an OPT record to be returned [RFC6891].
Check that recursive queries work: Check that recursive queries work:
dig +noedns +noad +rec soa $zone @$server dig +noedns +noad +rec soa $zone @$server
expect: status: NOERROR expect: status: NOERROR
expect: the SOA record to be present in the answer section expect: the SOA record to be present in the answer section
expect: flag: aa to be present expect: flag: aa to be present
expect: flag: rd to be present expect: flag: rd to be present
expect: flag: ad to NOT be present expect: flag: ad to NOT be present
expect: the OPT record to NOT be present expect: the OPT record to NOT be present
8.1.6. Testing TCP 8.1.6. Testing TCP
Ask for the SOA record of the zone the server is nominally configured Ask for the SOA record of the configured zone. This query is made
to serve. This query is made with no DNS flag bits set and without with no DNS flag bits set and without EDNS. This query is to be sent
EDNS. This query is to be sent using TCP. using TCP.
We expect the SOA record for the zone to be returned in the answer We expect the SOA record for the zone to be returned in the answer
section with the rcode set to NOERROR and the AA and QR bits to be section with the rcode set to NOERROR and the AA and QR bits to be
set in the response, RA may also be set [RFC1034]. We do not expect set in the response; RA may also be set [RFC1034]. We do not expect
an OPT record to be returned [RFC6891]. an OPT record to be returned [RFC6891].
Check that TCP queries work: Check that TCP queries work:
dig +noedns +noad +norec +tcp soa $zone @$server dig +noedns +noad +norec +tcp soa $zone @$server
expect: status: NOERROR expect: status: NOERROR
expect: the SOA record to be present in the answer section expect: the SOA record to be present in the answer section
expect: flag: aa to be present expect: flag: aa to be present
expect: flag: rd to NOT be present expect: flag: rd to NOT be present
expect: flag: ad to NOT be present expect: flag: ad to NOT be present
expect: the OPT record to NOT be present expect: the OPT record to NOT be present
The requirement that TCP be supported is defined in [RFC7766]. The requirement that TCP be supported is defined in [RFC7766].
8.2. Testing - Extended DNS 8.2. Testing - Extended DNS
The next set of test cover various aspects of EDNS behaviour. If any The next set of tests cover various aspects of EDNS behaviour. If
of these tests succeed, then all of them should succeed. There are any of these tests succeed (indicating at least some EDNS support)
servers that support EDNS but fail to handle plain EDNS queries then all of them should succeed. There are servers that support EDNS
correctly so a plain EDNS query is not a good indicator of lack of but fail to handle plain EDNS queries correctly so a plain EDNS query
EDNS support. is not a good indicator of lack of EDNS support.
8.2.1. Testing Minimal EDNS 8.2.1. Testing Minimal EDNS
Ask for the SOA record of the zone the server is nominally configured Ask for the SOA record of the configured zone. This query is made
to serve. This query is made with no DNS flag bits set. EDNS with no DNS flag bits set. EDNS version 0 is used without any EDNS
version 0 is used without any EDNS options or EDNS flags set. options or EDNS flags set.
We expect the SOA record for the zone to be returned in the answer We expect the SOA record for the zone to be returned in the answer
section with the rcode set to NOERROR and the AA and QR bits to be section with the rcode set to NOERROR and the AA and QR bits to be
set in the response, RA may also be set [RFC1034]. We expect an OPT set in the response; RA may also be set [RFC1034]. We expect an OPT
record to be returned. There should be no EDNS flags present in the record to be returned. There should be no EDNS flags present in the
response. The EDNS version field should be zero and there should be response. The EDNS version field should be 0 and there should be no
no EDNS options present [RFC6891]. EDNS options present [RFC6891].
Check that plain EDNS queries work: Check that plain EDNS queries work:
dig +nocookie +edns=0 +noad +norec soa $zone @$server dig +nocookie +edns=0 +noad +norec soa $zone @$server
expect: status: NOERROR expect: status: NOERROR
expect: the SOA record to be present in the answer section expect: the SOA record to be present in the answer section
expect: an OPT record to be present in the additional section expect: an OPT record to be present in the additional section
expect: EDNS Version 0 in response expect: EDNS Version 0 in response
expect: flag: aa to be present expect: flag: aa to be present
expect: flag: ad to NOT be present expect: flag: ad to NOT be present
+nocookie disables sending a EDNS COOKIE option in which is on by +nocookie disables sending a EDNS COOKIE option which is otherwise
default in BIND 9.11.0. enabled by default in BIND 9.11.0 (and later).
8.2.2. Testing EDNS Version Negotiation 8.2.2. Testing EDNS Version Negotiation
Ask for the SOA record of the zone the server is nominally configured Ask for the SOA record of a zone the server is nominally configured
to serve. This query is made with no DNS flag bits set. EDNS to serve. This query is made with no DNS flag bits set. EDNS
version 1 is used without any EDNS options or EDNS flags set. version 1 is used without any EDNS options or EDNS flags set.
We expect the SOA record for the zone to NOT be returned in the We expect the SOA record for the zone to NOT be returned in the
answer section with the extended rcode set to BADVERS and the QR bit answer section with the extended rcode set to BADVERS and the QR bit
to be set in the response, RA may also be set [RFC1034]. We expect to be set in the response; RA may also be set [RFC1034]. We expect
an OPT record to be returned. There should be no EDNS flags present an OPT record to be returned. There should be no EDNS flags present
in the response. The EDNS version field should be zero as EDNS in the response. The EDNS version field should be 0 in the response
versions other than 0 are yet to be specified and there should be no as no other EDNS version has as yet been specified [RFC6891].
EDNS options present [RFC6891].
Check that EDNS version 1 queries work (EDNS supported): Check that EDNS version 1 queries work (EDNS supported):
dig +nocookie +edns=1 +noednsneg +noad +norec soa $zone @$server dig +nocookie +edns=1 +noednsneg +noad +norec soa $zone @$server
expect: status: BADVERS expect: status: BADVERS
expect: the SOA record to NOT be present in the answer section expect: the SOA record to NOT be present in the answer section
expect: an OPT record to be present in the additional section expect: an OPT record to be present in the additional section
expect: EDNS Version 0 in response expect: EDNS Version 0 in response
expect: flag: aa to NOT be present expect: flag: aa to NOT be present
expect: flag: ad to NOT be present expect: flag: ad to NOT be present
Only EDNS Version 0 is currently defined so the response should +noednsneg has been set as dig supports EDNS version negotiation and
always be a 0 version. This will change when EDNS version 1 is we want to see only the response to the initial EDNS version 1 query.
defined. BADVERS is the expected rcode if EDNS is supported as per
Section 6.1.3, [RFC6891].
8.2.3. Testing Unknown EDNS Options 8.2.3. Testing Unknown EDNS Options
Ask for the SOA record of the zone the server is nominally configured Ask for the SOA record of the configured zone. This query is made
to serve. This query is made with no DNS flag bits set. EDNS with no DNS flag bits set. EDNS version 0 is used without any EDNS
version 0 is used without any EDNS flags. A EDNS option is present flags. An EDNS option is present with a value that has not yet been
with a value from the yet to be assigned range. The unassigned value assigned by IANA. We have picked 100 for the example below.
chosen is 100 and will need to be adjusted when IANA assigns this
value formally.
We expect the SOA record for the zone to be returned in the answer We expect the SOA record for the zone to be returned in the answer
section with the rcode set to NOERROR and the AA and QR bits to be section with the rcode set to NOERROR and the AA and QR bits to be
set in the response, RA may also be set [RFC1034]. We expect an OPT set in the response; RA may also be set [RFC1034]. We expect an OPT
record to be returned. There should be no EDNS flags present in the record to be returned. There should be no EDNS flags present in the
response. The EDNS version field should be zero as EDNS versions response. The EDNS version field should be 0 as EDNS versions other
other than 0 are yet to be specified and there should be no EDNS than 0 are yet to be specified and there should be no EDNS options
options present as unknown EDNS options are supposed to be ignored by present as unknown EDNS options are supposed to be ignored by the
the server [RFC6891]. server [RFC6891] Section 6.1.2.
Check that EDNS queries with an unknown option work (EDNS supported): Check that EDNS queries with an unknown option work (EDNS supported):
dig +nocookie +edns=0 +noad +norec +ednsopt=100 soa $zone @$server dig +nocookie +edns=0 +noad +norec +ednsopt=100 soa $zone @$server
expect: status: NOERROR expect: status: NOERROR
expect: the SOA record to be present in the answer section expect: the SOA record to be present in the answer section
expect: an OPT record to be present in the additional section expect: an OPT record to be present in the additional section
expect: OPT=100 to NOT be present expect: OPT=100 to NOT be present
expect: EDNS Version 0 in response expect: EDNS Version 0 in response
expect: flag: aa to be present expect: flag: aa to be present
expect: flag: ad to NOT be present expect: flag: ad to NOT be present
Unknown EDNS options are supposed to be ignored, Section 6.1.2,
[RFC6891].
8.2.4. Testing Unknown EDNS Flags 8.2.4. Testing Unknown EDNS Flags
Ask for the SOA record of the zone the server is nominally configured Ask for the SOA record of the configured zone. This query is made
to serve. This query is made with no DNS flag bits set. EDNS with no DNS flag bits set. EDNS version 0 is used without any EDNS
version 0 is used without any EDNS options. A unassigned EDNS flag options. An unassigned EDNS flag bit is set (0x40 in this case).
bit is set (0x40 in this case).
We expect the SOA record for the zone to be returned in the answer We expect the SOA record for the zone to be returned in the answer
section with the rcode set to NOERROR and the AA and QR bits to be section with the rcode set to NOERROR and the AA and QR bits to be
set in the response, RA may also be set [RFC1034]. We expect an OPT set in the response; RA may also be set [RFC1034]. We expect an OPT
record to be returned. There should be no EDNS flags present in the record to be returned. There should be no EDNS flags present in the
response as unknown EDNS flags are supposed to be ignored. The EDNS response as unknown EDNS flags are supposed to be ignored. The EDNS
version field should be zero and there should be no EDNS options version field should be 0 and there should be no EDNS options present
present [RFC6891]. [RFC6891].
Check that EDNS queries with unknown flags work (EDNS supported): Check that EDNS queries with unknown flags work (EDNS supported):
dig +nocookie +edns=0 +noad +norec +ednsflags=0x40 soa $zone @$server dig +nocookie +edns=0 +noad +norec +ednsflags=0x40 soa $zone @$server
expect: status: NOERROR expect: status: NOERROR
expect: the SOA record to be present in the answer section expect: the SOA record to be present in the answer section
expect: an OPT record to be present in the additional section expect: an OPT record to be present in the additional section
expect: MBZ not to be present expect: MBZ not to be present
expect: EDNS Version 0 in response expect: EDNS Version 0 in response
expect: flag: aa to be present expect: flag: aa to be present
expect: flag: ad to NOT be present expect: flag: ad to NOT be present
MBZ (Must Be Zero) presence indicates the flag bit has been MBZ (Must Be Zero) is a dig-specific indication that a flag bit has
incorrectly copied as per Section 6.1.4, [RFC6891]. been incorrectly copied as per Section 6.1.4, [RFC6891].
8.2.5. Testing EDNS Version Negotiation With Unknown EDNS Flags 8.2.5. Testing EDNS Version Negotiation With Unknown EDNS Flags
Ask for the SOA record of the zone the server is nominally configured Ask for the SOA record of the configured zone. This query is made
to serve. This query is made with no DNS flag bits set. EDNS with no DNS flag bits set. EDNS version 1 is used without any EDNS
version 1 is used without any EDNS options. A unassigned EDNS flag options. An unassigned EDNS flag bit is set (0x40 in this case).
bit is set (0x40 in this case).
We expect the SOA record for the zone to NOT be returned in the We expect the SOA record for the zone to NOT be returned in the
answer section with the extended rcode set to BADVERS and the QR bit answer section with the extended rcode set to BADVERS and the QR bit
to be set in the response, RA may also be set [RFC1034]. We expect to be set in the response; RA may also be set [RFC1034]. We expect
an OPT record to be returned. There should be no EDNS flags present an OPT record to be returned. There should be no EDNS flags present
in the response as unknown EDNS flags are supposed to be ignored. in the response as unknown EDNS flags are supposed to be ignored.
The EDNS version field should be zero as EDNS versions other than 0 The EDNS version field should be 0 as EDNS versions other than 0 are
are yet to be specified and there should be no EDNS options present yet to be specified and there should be no EDNS options present
[RFC6891]. [RFC6891].
Check that EDNS version 1 queries with unknown flags work (EDNS Check that EDNS version 1 queries with unknown flags work (EDNS
supported): supported):
dig +nocookie +edns=1 +noednsneg +noad +norec +ednsflags=0x40 soa \ dig +nocookie +edns=1 +noednsneg +noad +norec +ednsflags=0x40 soa \
$zone @$server $zone @$server
expect: status: BADVERS expect: status: BADVERS
expect: SOA record to NOT be present expect: SOA record to NOT be present
expect: an OPT record to be present in the additional section expect: an OPT record to be present in the additional section
expect: MBZ not to be present expect: MBZ not to be present
expect: EDNS Version 0 in response expect: EDNS Version 0 in response
expect: flag: aa to NOT be present expect: flag: aa to NOT be present
expect: flag: ad to NOT be present expect: flag: ad to NOT be present
+noednsneg disables EDNS version negotiation in DiG; MBZ (Must Be
Zero) presence indicates the flag bit has been incorrectly copied.
8.2.6. Testing EDNS Version Negotiation With Unknown EDNS Options 8.2.6. Testing EDNS Version Negotiation With Unknown EDNS Options
Ask for the SOA record of the zone the server is nominally configured Ask for the SOA record of the configured zone. This query is made
to serve. This query is made with no DNS flag bits set. EDNS with no DNS flag bits set. EDNS version 1 is used. An unknown EDNS
version 1 is used. A unknown EDNS option is present (option code 100 option is present. We have picked 100 for the example below.
has been chosen).
We expect the SOA record for the zone to NOT be returned in the We expect the SOA record for the zone to NOT be returned in the
answer section with the extended rcode set to BADVERS and the QR bit answer section with the extended rcode set to BADVERS and the QR bit
to be set in the response, RA may also be set [RFC1034]. We expect to be set in the response; RA may also be set [RFC1034]. We expect
an OPT record to be returned. There should be no EDNS flags present an OPT record to be returned. There should be no EDNS flags present
in the response. The EDNS version field should be zero as EDNS in the response. The EDNS version field should be 0 as EDNS versions
versions other than 0 are yet to be specified and there should be no other than 0 are yet to be specified and there should be no EDNS
EDNS options present [RFC6891]. options present [RFC6891].
Check that EDNS version 1 queries with unknown options work (EDNS Check that EDNS version 1 queries with unknown options work (EDNS
supported): supported):
dig +nocookie +edns=1 +noednsneg +noad +norec +ednsopt=100 soa \ dig +nocookie +edns=1 +noednsneg +noad +norec +ednsopt=100 soa \
$zone @$server $zone @$server
expect: status: BADVERS expect: status: BADVERS
expect: SOA record to NOT be present expect: SOA record to NOT be present
expect: an OPT record to be present in the additional section expect: an OPT record to be present in the additional section
expect: OPT=100 to NOT be present expect: OPT=100 to NOT be present
expect: EDNS Version 0 in response expect: EDNS Version 0 in response
expect: flag: aa to be present expect: flag: aa to be present
expect: flag: ad to NOT be present expect: flag: ad to NOT be present
+noednsneg disables EDNS version negotiation in DiG.
8.2.7. Testing Truncated Responses 8.2.7. Testing Truncated Responses
Ask for the DNSKEY records of the zone the server is nominally Ask for the DNSKEY records of the configured zone, which must be a
configured to serve. This query is made with no DNS flag bits set. DNSSEC signed zone. This query is made with no DNS flag bits set.
EDNS version 0 is used without any EDNS options. The only EDNS flag EDNS version 0 is used without any EDNS options. The only EDNS flag
set is DO. The EDNS UDP buffer size is set to 512. The intention of set is DO. The EDNS UDP buffer size is set to 512. The intention of
this query is elicit a truncated response from the server. Most this query is to elicit a truncated response from the server. Most
signed DNSKEY responses are bigger than 512 bytes. signed DNSKEY responses are bigger than 512 bytes. This test will
not give a valid result if the zone is not signed.
We expect a response with the rcode set to NOERROR and the AA and QR We expect a response with the rcode set to NOERROR and the AA and QR
bits to be set, AD may be set in the response if the server supports bits to be set, AD may be set in the response if the server supports
DNSSEC otherwise it should be clear. TC and RA may also be set DNSSEC otherwise it should be clear; TC and RA may also be set
[RFC1034]. We expect an OPT record to be present in the response. [RFC1035] [RFC4035]. We expect an OPT record to be present in the
There should be no EDNS flags other than DO present in the response. response. There should be no EDNS flags other than DO present in the
The EDNS version field should be zero and there should be no EDNS response. The EDNS version field should be 0 and there should be no
options present [RFC6891]. EDNS options present [RFC6891].
If TC is not set it is not possible to confirm that the server If TC is not set it is not possible to confirm that the server
correctly adds the OPT record to the truncated responses or not. correctly adds the OPT record to the truncated responses or not.
dig +norec +dnssec +bufsize=512 +ignore dnskey $zone @$server dig +norec +dnssec +bufsize=512 +ignore dnskey $zone @$server
expect: NOERROR expect: NOERROR
expect: OPT record with version set to 0 expect: OPT record with version set to 0
8.2.8. Testing DNSSEC Queries 8.2.8. Testing DO=1 Handling
Ask for the SOA record of the zone the server is nominally configured Ask for the SOA record of the configured zone, which does not need to
to serve. This query is made with no DNS flag bits set. EDNS be DNSSEC signed. This query is made with no DNS flag bits set.
version 0 is used without any EDNS options. The only EDNS flag set EDNS version 0 is used without any EDNS options. The only EDNS flag
is DO. set is DO.
We expect the SOA record for the zone to be returned in the answer We expect the SOA record for the zone to be returned in the answer
section with the rcode set to NOERROR and the AA and QR bits to be section with the rcode set to NOERROR and the AA and QR bits to be
set in the response, AD may be set in the response if the server set in the response, AD may be set in the response if the server
supports DNSSEC otherwise it should be clear. RA may also be set supports DNSSEC otherwise it should be clear; RA may also be set
[RFC1034]. We expect an OPT record to be returned. There should be [RFC1034]. We expect an OPT record to be returned. There should be
no EDNS flags other than DO present in the response which should be no EDNS flags other than DO present in the response which should be
present if the server supports DNSSEC. The EDNS version field should present if the server supports DNSSEC. The EDNS version field should
be zero and there should be no EDNS options present [RFC6891]. be 0 and there should be no EDNS options present [RFC6891].
Check that a DNSSEC queries work (EDNS supported): Check that DO=1 queries work (EDNS supported):
dig +nocookie +edns=0 +noad +norec +dnssec soa $zone @$server dig +nocookie +edns=0 +noad +norec +dnssec soa $zone @$server
expect: status: NOERROR expect: status: NOERROR
expect: the SOA record to be present in the answer section expect: the SOA record to be present in the answer section
expect: an OPT record to be present in the additional section expect: an OPT record to be present in the additional section
expect: DO=1 to be present if a RRSIG is in the response expect: DO=1 to be present if a RRSIG is in the response
expect: EDNS Version 0 in response expect: EDNS Version 0 in response
expect: flag: aa to be present expect: flag: aa to be present
DO=1 should be present if RRSIGs are returned as they indicate that 8.2.9. Testing EDNS Version Negotiation With DO=1
the server supports DNSSEC. Servers that support DNSSEC are supposed
to copy the DO bit from the request to the response as per [RFC3225].
8.2.9. Testing EDNS Version Negotiation With DNSSEC
Ask for the SOA record of the zone the server is nominally configured Ask for the SOA record of the configured zone, which does not need to
to serve. This query is made with no DNS flag bits set. EDNS be DNSSEC signed. This query is made with no DNS flag bits set.
version 1 is used without any EDNS options. The only EDNS flag set EDNS version 1 is used without any EDNS options. The only EDNS flag
is DO. set is DO.
We expect the SOA record for the zone to NOT be returned in the We expect the SOA record for the zone to NOT be returned in the
answer section with the rcode set to BADVERS and the only the QR bit answer section with the rcode set to BADVERS; the QR bit and possibly
and possibly the RA bit to be set [RFC1034]. We expect an OPT record the RA bit to be set [RFC1034]. We expect an OPT record to be
to be returned. There should be no EDNS flags other than DO present returned. There should be no EDNS flags other than DO present in the
in the response which should be present if the server supports response which should be there if the server supports DNSSEC. The
DNSSEC. The EDNS version field should be zero and there should be no EDNS version field should be 0 and there should be no EDNS options
EDNS options present [RFC6891]. present [RFC6891].
Check that EDNS version 1 DNSSEC queries work (EDNS supported): Check that EDNS version 1, DO=1 queries work (EDNS supported):
dig +nocookie +edns=1 +noednsneg +noad +norec +dnssec soa \ dig +nocookie +edns=1 +noednsneg +noad +norec +dnssec soa \
$zone @$server $zone @$server
expect: status: BADVERS expect: status: BADVERS
expect: SOA record to NOT be present expect: SOA record to NOT be present
expect: an OPT record to be present in the additional section expect: an OPT record to be present in the additional section
expect: DO=1 to be present if the EDNS version 0 DNSSEC query test expect: DO=1 to be present if the EDNS version 0 DNSSEC query test
returned DO=1 returned DO=1
expect: EDNS Version 0 in response expect: EDNS Version 0 in response
expect: flag: aa to NOT be present expect: flag: aa to NOT be present
+noednsneg disables EDNS version negotiation in DiG.
8.2.10. Testing With Multiple Defined EDNS Options 8.2.10. Testing With Multiple Defined EDNS Options
Ask for the SOA record of the zone the server is nominally configured Ask for the SOA record of the configured zone. This query is made
to serve. This query is made with no DNS flag bits set. EDNS with no DNS flag bits set. EDNS version 0 is used. A number of
version 0 is used. A number of defined EDNS options are present defined EDNS options are present (NSID [RFC5001], DNS COOKIE
(NSID [RFC5001], DNS COOKIE [RFC7873], EDNS Client Subnet [RFC7871] [RFC7873], EDNS Client Subnet [RFC7871] and EDNS Expire [RFC7314]).
and EDNS Expire [RFC7314]).
We expect the SOA record for the zone to be returned in the answer We expect the SOA record for the zone to be returned in the answer
section with the rcode set to NOERROR and the AA and QR bits to be section with the rcode set to NOERROR and the AA and QR bits to be
set in the response, RA may also be set [RFC1034]. We expect an OPT set in the response; RA may also be set [RFC1034]. We expect an OPT
record to be returned. There should be no EDNS flags present in the record to be returned. There should be no EDNS flags present in the
response. The EDNS version field should be zero. Any of the response. The EDNS version field should be 0. Any of the requested
requested EDNS options supported by the server and permitted server EDNS options supported by the server and permitted server
configuration may be returned [RFC6891]. configuration may be returned [RFC6891].
Check that EDNS queries with multiple defined EDNS options work: Check that EDNS queries with multiple defined EDNS options work:
dig +edns=0 +noad +norec +cookie +nsid +expire +subnet=0.0.0.0/0 \ dig +edns=0 +noad +norec +cookie +nsid +expire +subnet=0.0.0.0/0 \
soa $zone @$server soa $zone @$server
expect: status: NOERROR expect: status: NOERROR
expect: the SOA record to be present in the answer section expect: the SOA record to be present in the answer section
expect: an OPT record to be present in the additional section expect: an OPT record to be present in the additional section
expect: EDNS Version 0 in response expect: EDNS Version 0 in response
expect: flag: aa to be present expect: flag: aa to be present
expect: flag: ad to NOT be present expect: flag: ad to NOT be present
8.3. When EDNS Is Not Supported 8.3. When EDNS Is Not Supported
If EDNS is not supported by the nameserver, we expect a response to If EDNS is not supported by the nameserver, we expect a response to
all the above queries. That response may be a FORMERR or NOTIMP each of the above queries. That response may be a FORMERR error
error response or the OPT record may just be ignored. response or the OPT record may just be ignored.
Some nameservers only return a EDNS response when a particular EDNS Some nameservers only return a EDNS response when a particular EDNS
option or flag (e.g. DO=1) is present in the request. This option or flag (e.g. DO=1) is present in the request. This
behaviour is not compliant behaviour and may hide other incorrect behaviour is not compliant behaviour and may hide other incorrect
behaviour from the above tests. Re-testing with the triggering behaviour from the above tests. Re-testing with the triggering
option / flag present will expose this misbehaviour. option / flag present will expose this misbehaviour.
9. Remediation 9. Remediation
Name server operators are generally expected to test their own Name server operators are generally expected to test their own
skipping to change at page 23, line 22 skipping to change at page 23, line 20
This should only be done as a last resort and with due consideration, This should only be done as a last resort and with due consideration,
as removal of a delegation can have unanticipated side effects. For as removal of a delegation can have unanticipated side effects. For
example, other parts of the DNS tree may depend on names below the example, other parts of the DNS tree may depend on names below the
removed zone cut, and the parent operator may find themselves removed zone cut, and the parent operator may find themselves
responsible for causing new DNS failures to occur. responsible for causing new DNS failures to occur.
10. Security Considerations 10. Security Considerations
Testing protocol compliance can potentially result in false reports Testing protocol compliance can potentially result in false reports
of attempts to break services from Intrusion Detection Services and of attempts to break services from Intrusion Detection Services and
firewalls. None of the tests listed above should break nominally firewalls. All of the tests are well formed (though not necessarily
EDNS compliant servers. None of the tests above should break non common) DNS queries. None the tests listed above should cause any
EDNS servers. All the tests above are well formed, though not harm to a protocol-compliant server.
necessarily common, DNS queries.
Relaxing firewall settings to ensure EDNS compliance could Relaxing firewall settings to ensure EDNS compliance could
potentially expose a critical implementation flaw in the nameserver. potentially expose a critical implementation flaw in the nameserver.
Nameservers should be tested for conformance before relaxing firewall Nameservers should be tested for conformance before relaxing firewall
settings. settings.
When removing delegations for non-compliant servers there can be a When removing delegations for non-compliant servers there can be a
knock on effect on other zones that require these zones to be knock on effect on other zones that require these zones to be
operational for the nameservers addresses to be resolved. operational for the nameservers addresses to be resolved.
 End of changes. 65 change blocks. 
155 lines changed or deleted 134 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/