draft-ietf-dnsop-no-response-issue-15.txt   draft-ietf-dnsop-no-response-issue-16.txt 
Network Working Group M. Andrews Network Working Group M. Andrews
Internet-Draft R. Bellis Internet-Draft R. Bellis
Intended status: Best Current Practice ISC Intended status: Best Current Practice ISC
Expires: September 9, 2020 March 8, 2020 Expires: September 9, 2020 March 8, 2020
A Common Operational Problem in DNS Servers - Failure To Communicate. A Common Operational Problem in DNS Servers - Failure To Communicate.
draft-ietf-dnsop-no-response-issue-15 draft-ietf-dnsop-no-response-issue-16
Abstract Abstract
The DNS is a query / response protocol. Failing to respond to The DNS is a query / response protocol. Failing to respond to
queries, or responding incorrectly, causes both immediate operational queries, or responding incorrectly, causes both immediate operational
problems and long term problems with protocol development. problems and long term problems with protocol development.
This document identifies a number of common kinds of queries to which This document identifies a number of common kinds of queries to which
some servers either fail to respond or else respond incorrectly. some servers either fail to respond or else respond incorrectly.
This document also suggests procedures for zone operators to apply to This document also suggests procedures for zone operators to apply to
skipping to change at page 2, line 38 skipping to change at page 2, line 38
3.2.6. DO=1 Handling . . . . . . . . . . . . . . . . . . . . 8 3.2.6. DO=1 Handling . . . . . . . . . . . . . . . . . . . . 8
3.2.7. EDNS over TCP . . . . . . . . . . . . . . . . . . . . 8 3.2.7. EDNS over TCP . . . . . . . . . . . . . . . . . . . . 8
4. Firewalls and Load Balancers . . . . . . . . . . . . . . . . 8 4. Firewalls and Load Balancers . . . . . . . . . . . . . . . . 8
5. Scrubbing Services . . . . . . . . . . . . . . . . . . . . . 9 5. Scrubbing Services . . . . . . . . . . . . . . . . . . . . . 9
6. Whole Answer Caches . . . . . . . . . . . . . . . . . . . . . 10 6. Whole Answer Caches . . . . . . . . . . . . . . . . . . . . . 10
7. Response Code Selection . . . . . . . . . . . . . . . . . . . 10 7. Response Code Selection . . . . . . . . . . . . . . . . . . . 10
8. Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 8. Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
8.1. Testing - Basic DNS . . . . . . . . . . . . . . . . . . . 11 8.1. Testing - Basic DNS . . . . . . . . . . . . . . . . . . . 11
8.1.1. Is The Server Configured For The Zone? . . . . . . . 11 8.1.1. Is The Server Configured For The Zone? . . . . . . . 11
8.1.2. Testing Unknown Types . . . . . . . . . . . . . . . . 12 8.1.2. Testing Unknown Types . . . . . . . . . . . . . . . . 12
8.1.3. Testing Header Bits . . . . . . . . . . . . . . . . . 12 8.1.3. Testing Header Bits . . . . . . . . . . . . . . . . . 13
8.1.4. Testing Unknown Opcodes . . . . . . . . . . . . . . . 14 8.1.4. Testing Unknown Opcodes . . . . . . . . . . . . . . . 15
8.1.5. Testing TCP . . . . . . . . . . . . . . . . . . . . . 15 8.1.5. Testing TCP . . . . . . . . . . . . . . . . . . . . . 15
8.2. Testing - Extended DNS . . . . . . . . . . . . . . . . . 15 8.2. Testing - Extended DNS . . . . . . . . . . . . . . . . . 16
8.2.1. Testing Minimal EDNS . . . . . . . . . . . . . . . . 16 8.2.1. Testing Minimal EDNS . . . . . . . . . . . . . . . . 16
8.2.2. Testing EDNS Version Negotiation . . . . . . . . . . 16 8.2.2. Testing EDNS Version Negotiation . . . . . . . . . . 17
8.2.3. Testing Unknown EDNS Options . . . . . . . . . . . . 17 8.2.3. Testing Unknown EDNS Options . . . . . . . . . . . . 17
8.2.4. Testing Unknown EDNS Flags . . . . . . . . . . . . . 18 8.2.4. Testing Unknown EDNS Flags . . . . . . . . . . . . . 18
8.2.5. Testing EDNS Version Negotiation With Unknown EDNS 8.2.5. Testing EDNS Version Negotiation With Unknown EDNS
Flags . . . . . . . . . . . . . . . . . . . . . . . . 18 Flags . . . . . . . . . . . . . . . . . . . . . . . . 18
8.2.6. Testing EDNS Version Negotiation With Unknown EDNS 8.2.6. Testing EDNS Version Negotiation With Unknown EDNS
Options . . . . . . . . . . . . . . . . . . . . . . . 19 Options . . . . . . . . . . . . . . . . . . . . . . . 19
8.2.7. Testing Truncated Responses . . . . . . . . . . . . . 20 8.2.7. Testing Truncated Responses . . . . . . . . . . . . . 20
8.2.8. Testing DO=1 Handling . . . . . . . . . . . . . . . . 20 8.2.8. Testing DO=1 Handling . . . . . . . . . . . . . . . . 20
8.2.9. Testing EDNS Version Negotiation With DO=1 . . . . . 21 8.2.9. Testing EDNS Version Negotiation With DO=1 . . . . . 21
8.2.10. Testing With Multiple Defined EDNS Options . . . . . 21 8.2.10. Testing With Multiple Defined EDNS Options . . . . . 22
8.3. When EDNS Is Not Supported . . . . . . . . . . . . . . . 22 8.3. When EDNS Is Not Supported . . . . . . . . . . . . . . . 22
9. Remediation . . . . . . . . . . . . . . . . . . . . . . . . . 22 9. Remediation . . . . . . . . . . . . . . . . . . . . . . . . . 22
10. Security Considerations . . . . . . . . . . . . . . . . . . . 23 10. Security Considerations . . . . . . . . . . . . . . . . . . . 24
11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 24 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 24
12. References . . . . . . . . . . . . . . . . . . . . . . . . . 24 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 24
12.1. Normative References . . . . . . . . . . . . . . . . . . 24 12.1. Normative References . . . . . . . . . . . . . . . . . . 24
12.2. Informative References . . . . . . . . . . . . . . . . . 25 12.2. Informative References . . . . . . . . . . . . . . . . . 25
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 25 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 25
1. Introduction 1. Introduction
The DNS [RFC1034], [RFC1035] is a query / response protocol. Failing The DNS [RFC1034], [RFC1035] is a query / response protocol. Failing
to respond to queries, or responding incorrectly, causes both to respond to queries, or responding incorrectly, causes both
skipping to change at page 5, line 47 skipping to change at page 5, line 47
If a zone is delegated to a server, that server should respond to an If a zone is delegated to a server, that server should respond to an
SOA query for that zone with an SOA record. Failing to respond at SOA query for that zone with an SOA record. Failing to respond at
all is always incorrect, regardless of the configuration of the all is always incorrect, regardless of the configuration of the
server. Responding with anything other than an SOA record in the server. Responding with anything other than an SOA record in the
Answer section indicates a bad delegation. Answer section indicates a bad delegation.
3.1.2. Unknown / Unsupported Type Queries 3.1.2. Unknown / Unsupported Type Queries
Some servers fail to respond to unknown or unsupported types. If a Some servers fail to respond to unknown or unsupported types. If a
server receives a query for a type that it doesn't recognize, or server receives a query for a type that it doesn't recognise, or
doesn't implement, it is expected to return the appropriate response doesn't implement, it is expected to return the appropriate response
as if it did recognize the type but does not have any data for that as if it did recognise the type but does not have any data for that
type: either NOERROR, or NXDOMAIN. The exception to this are queries type: either NOERROR, or NXDOMAIN. The exception to this are queries
for Meta-RR types which may return NOTIMP. for Meta-RR types which may return NOTIMP.
3.1.3. DNS Flags 3.1.3. DNS Flags
Some servers fail to respond to DNS queries with various DNS flags Some servers fail to respond to DNS queries with various DNS flags
set, regardless of whether they are defined or still reserved. At set, regardless of whether they are defined or still reserved. At
the time of writing there are servers that fail to respond to queries the time of writing there are servers that fail to respond to queries
with the AD bit set to 1 and servers that fail to respond to queries with the AD bit set to 1 and servers that fail to respond to queries
with the last reserved flag bit set. with the last reserved flag bit set.
Servers should respond to such queries. If the server does not know
the meaning of a flag bit it must not copy it to the response
[RFC1035] Section 4.1.1. If the server does not understand the
meaning of a request it should reply with a FORMERR response with
unknown flags set to zero.
3.1.3.1. Recursive Queries 3.1.3.1. Recursive Queries
A non-recursive server is supposed to respond to recursive queries as A non-recursive server is supposed to respond to recursive queries as
if the RD bit is not set [RFC1034]. if the RD bit is not set [RFC1034].
3.1.4. Unknown DNS opcodes 3.1.4. Unknown DNS opcodes
The use of previously undefined opcodes is to be expected. Since the The use of previously undefined opcodes is to be expected. Since the
DNS was first defined two new opcodes have been added, UPDATE and DNS was first defined two new opcodes have been added, UPDATE and
NOTIFY. NOTIFY.
skipping to change at page 6, line 39 skipping to change at page 6, line 45
3.1.5. TCP Queries 3.1.5. TCP Queries
All DNS servers are supposed to respond to queries over TCP All DNS servers are supposed to respond to queries over TCP
[RFC7766]. While firewalls should not block TCP connection attempts [RFC7766]. While firewalls should not block TCP connection attempts
if they do they should cleanly terminate the connection by sending if they do they should cleanly terminate the connection by sending
TCP RESET or sending ICMP/ICMPv6 Administratively Prohibited TCP RESET or sending ICMP/ICMPv6 Administratively Prohibited
messages. Dropping TCP connections introduces excessive delays to messages. Dropping TCP connections introduces excessive delays to
the resolution process. the resolution process.
Whether a server accepts TCP connections can be tested by first
checking that it responds to UDP queries to confirm that it is up and
operating, then attempting the same query over TCP. An additional
query should be made over UDP if the TCP connection attempt fails to
confirm that the server under test is still operating.
3.2. EDNS Queries 3.2. EDNS Queries
EDNS queries are specified in [RFC6891]. EDNS queries are specified in [RFC6891].
3.2.1. EDNS Queries - Version Independent 3.2.1. EDNS Queries - Version Independent
Identifying servers that fail to respond to EDNS queries can be done Identifying servers that fail to respond to EDNS queries can be done
by first confirming that the server responds to regular DNS queries, by first confirming that the server responds to regular DNS queries,
followed by a series of otherwise identical queries using EDNS, then followed by a series of otherwise identical queries using EDNS, then
making the original query again. A series of EDNS queries is needed making the original query again. A series of EDNS queries is needed
skipping to change at page 7, line 35 skipping to change at page 7, line 35
3.2.2. EDNS Queries - Version Specific 3.2.2. EDNS Queries - Version Specific
Some servers respond correctly to EDNS version 0 queries but fail to Some servers respond correctly to EDNS version 0 queries but fail to
respond to EDNS queries with version numbers that are higher than respond to EDNS queries with version numbers that are higher than
zero. Servers should respond with BADVERS to EDNS queries with zero. Servers should respond with BADVERS to EDNS queries with
version numbers that they do not support. version numbers that they do not support.
Some servers respond correctly to EDNS version 0 queries but fail to Some servers respond correctly to EDNS version 0 queries but fail to
set QR=1 when responding to EDNS versions they do not support. Such set QR=1 when responding to EDNS versions they do not support. Such
answers are discarded or treated as requests. answers responses may be discarded as invalid (as QR is not 1) or
treated as requests (when the source port of the original request was
port 53).
3.2.3. EDNS Options 3.2.3. EDNS Options
Some servers fail to respond to EDNS queries with EDNS options set. Some servers fail to respond to EDNS queries with EDNS options set.
Unknown EDNS options are supposed to be ignored by the server The original EDNS specification left this behaviour undefined
[RFC6891], the original EDNS specification left this behaviour [RFC2671], but the correct behaviour was clarified in [RFC6891].
undefined [RFC2671]. Unknown EDNS options are supposed to be ignored by the server.
3.2.4. EDNS Flags 3.2.4. EDNS Flags
Some servers fail to respond to EDNS queries with EDNS flags set. Some servers fail to respond to EDNS queries with EDNS flags set.
Servers should ignore EDNS flags they do not understand and must not Servers should ignore EDNS flags they do not understand and must not
add them to the response [RFC6891]. add them to the response [RFC6891].
3.2.5. Truncated EDNS Responses 3.2.5. Truncated EDNS Responses
Some EDNS aware servers fail to include an OPT record when a Some EDNS aware servers fail to include an OPT record when a
truncated response is sent. An OPT record is supposed to be included truncated response is sent. An OPT record is supposed to be included
in a truncated response [RFC6891]. in a truncated response [RFC6891].
Some EDNS aware server fail to honour the advertised EDNS buffer size Some EDNS aware servers fail to honour the advertised EDNS UDP buffer
and send over-sized responses [RFC6891]. size and send over-sized responses [RFC6891]. Servers must send UDP
responses no larger than the advertised EDNS UDP buffer size.
3.2.6. DO=1 Handling 3.2.6. DO=1 Handling
Some nameservers incorrectly only return an EDNS response when the DO Some nameservers incorrectly only return an EDNS response when the DO
bit [RFC3225] is 1 in the query. Additionally some nameservers fail bit [RFC3225] is 1 in the query. Servers that support EDNS should
to copy the DO bit to the response despite clearly supporting DNSSEC always respond to EDNS requests with EDNS responses.
by returning an RRSIG records to EDNS queries with DO=1.
Some nameservers fail to copy the DO bit to the response despite
clearly supporting DNSSEC by returning an RRSIG records to EDNS
queries with DO=1.
3.2.7. EDNS over TCP 3.2.7. EDNS over TCP
Some EDNS aware servers incorrectly limit the TCP response sizes to Some EDNS aware servers incorrectly limit the TCP response sizes to
the advertised UDP response size. the advertised UDP response size. This breaks DNS resolution to
clients where the response sizes exceed the advertised UDP response
size despite the server and the client being capable of sending and
receiving larger TCP responses respectively. It effectively defeats
setting TC=1 in UDP responses.
4. Firewalls and Load Balancers 4. Firewalls and Load Balancers
Firewalls and load balancers can affect the externally visible Firewalls and load balancers can affect the externally visible
behaviour of a nameserver. Tests for conformance should to be done behaviour of a nameserver. Tests for conformance should to be done
from outside of any firewall so that the system is tested as a whole. from outside of any firewall so that the system is tested as a whole.
Firewalls and load balancers should not drop DNS packets that they Firewalls and load balancers should not drop DNS packets that they
don't understand. They should either pass the packets or generate an don't understand. They should either pass the packets or generate an
appropriate error response. appropriate error response.
skipping to change at page 10, line 23 skipping to change at page 10, line 30
exhaustive set of attributes that must be considered include: RD, AD, exhaustive set of attributes that must be considered include: RD, AD,
CD, OPT record, DO, EDNS buffer size, EDNS version, EDNS options, and CD, OPT record, DO, EDNS buffer size, EDNS version, EDNS options, and
transport. transport.
7. Response Code Selection 7. Response Code Selection
Choosing the correct response code when responding to DNS queries is Choosing the correct response code when responding to DNS queries is
important. Response codes should be chosen considering how clients important. Response codes should be chosen considering how clients
will handle them. will handle them.
For unimplemented opcodes NOTIMP is the expected response code. For For unimplemented opcodes NOTIMP is the expected response code.
example, a new opcode could change the message format by extending Note: Newly implemented opcodes may change the message format by
the header or changing the structure of the records etc. extending the header, changing the structure of the records, etc.
Servers are not expected to be able to parse these, and should
respond with a response code of NOTIMP rather than FORMERR (which
would be expected if there was a parse error with an known opcode).
For unimplemented type codes, and in the absence of other errors, the For unimplemented type codes, and in the absence of other errors, the
only valid response is NoError if the qname exists, and NameError only valid response is NoError if the qname exists, and NameError
(NXDOMAIN) otherwise. For Meta-RRs NOTIMP may be returned instead. (NXDOMAIN) otherwise. For Meta-RRs NOTIMP may be returned instead.
If a zone cannot be loaded because it contains unimplemented type If a zone cannot be loaded because it contains unimplemented type
codes that are not encoded as unknown record types according to codes that are not encoded as unknown record types according to
[RFC3597] then the expected response is SERVFAIL as the whole zone [RFC3597] then the expected response is SERVFAIL as the whole zone
should be rejected Section 5.2 [RFC1035]. If a zone loads then should be rejected Section 5.2 [RFC1035]. If a zone loads then
Section 4.3.2 [RFC1034] applies. Section 4.3.2 [RFC1034] applies.
skipping to change at page 11, line 36 skipping to change at page 11, line 41
This first set of tests cover basic DNS server behaviour and all This first set of tests cover basic DNS server behaviour and all
servers should pass these tests. servers should pass these tests.
8.1.1. Is The Server Configured For The Zone? 8.1.1. Is The Server Configured For The Zone?
Ask for the SOA record of the configured zone. This query is made Ask for the SOA record of the configured zone. This query is made
with no DNS flag bits set and without EDNS. with no DNS flag bits set and without EDNS.
We expect the SOA record for the zone to be returned in the answer We expect the SOA record for the zone to be returned in the answer
section with the rcode set to NOERROR and the AA and QR bits to be section, the rcode to be set to NOERROR, and the AA and QR bits to be
set in the response; RA may also be set [RFC1034]. We do not expect set in the header; RA may also be set [RFC1034]. We do not expect an
an OPT record to be returned [RFC6891]. OPT record to be returned [RFC6891].
Verify the server is configured for the zone: Verify the server is configured for the zone:
dig +noedns +noad +norec soa $zone @$server dig +noedns +noad +norec soa $zone @$server
expect: status: NOERROR expect: status: NOERROR
expect: the SOA record to be present in the answer section expect: the SOA record to be present in the answer section
expect: flag: aa to be present expect: flag: aa to be present
expect: flag: rd to NOT be present expect: flag: rd to NOT be present
expect: flag: ad to NOT be present expect: flag: ad to NOT be present
skipping to change at page 12, line 25 skipping to change at page 12, line 36
faulty. The test should be repeated a number of times to eliminate faulty. The test should be repeated a number of times to eliminate
the likelihood of a false positive due to packet loss. the likelihood of a false positive due to packet loss.
Ask for the TYPE1000 RRset at the configured zone's name. This query Ask for the TYPE1000 RRset at the configured zone's name. This query
is made with no DNS flag bits set and without EDNS. TYPE1000 has is made with no DNS flag bits set and without EDNS. TYPE1000 has
been chosen for this purpose as IANA is unlikely to allocate this been chosen for this purpose as IANA is unlikely to allocate this
type in the near future and it is not in a range reserved for private type in the near future and it is not in a range reserved for private
use [RFC6895]. Any unallocated type code could be chosen for this use [RFC6895]. Any unallocated type code could be chosen for this
test. test.
We expect no records to be returned in the answer section with the We expect no records to be returned in the answer section, the rcode
rcode set to NOERROR and the AA and QR bits to be set in the to be set to NOERROR, and the AA and QR bits to be set in the header;
response; RA may also be set [RFC1034]. We do not expect an OPT RA may also be set [RFC1034]. We do not expect an OPT record to be
record to be returned [RFC6891]. returned [RFC6891].
Check that queries for an unknown type work: Check that queries for an unknown type work:
dig +noedns +noad +norec type1000 $zone @$server dig +noedns +noad +norec type1000 $zone @$server
expect: status: NOERROR expect: status: NOERROR
expect: an empty answer section. expect: an empty answer section.
expect: flag: aa to be present expect: flag: aa to be present
expect: flag: rd to NOT be present expect: flag: rd to NOT be present
expect: flag: ad to NOT be present expect: flag: ad to NOT be present
skipping to change at page 12, line 50 skipping to change at page 13, line 14
8.1.3. Testing Header Bits 8.1.3. Testing Header Bits
8.1.3.1. Testing CD=1 Queries 8.1.3.1. Testing CD=1 Queries
Ask for the SOA record of the configured zone. This query is made Ask for the SOA record of the configured zone. This query is made
with only the CD DNS flag bit set, all other DNS bits clear, and with only the CD DNS flag bit set, all other DNS bits clear, and
without EDNS. without EDNS.
We expect the SOA record for the zone to be returned in the answer We expect the SOA record for the zone to be returned in the answer
section with the rcode set to NOERROR and the AA and QR bits to be section, the rcode to be set to NOERROR, and the AA and QR bits to be
set in the response. We do not expect an OPT record to be returned. set in the header. We do not expect an OPT record to be returned.
If the server supports DNSSEC, CD should be set in the response If the server supports DNSSEC, CD should be set in the response
[RFC4035] otherwise CD should be clear [RFC1034]. [RFC4035] otherwise CD should be clear [RFC1034].
Check that queries with CD=1 work: Check that queries with CD=1 work:
dig +noedns +noad +norec +cd soa $zone @$server dig +noedns +noad +norec +cd soa $zone @$server
expect: status: NOERROR expect: status: NOERROR
expect: the SOA record to be present in the answer section expect: the SOA record to be present in the answer section
skipping to change at page 13, line 26 skipping to change at page 13, line 38
expect: flag: ad to NOT be present expect: flag: ad to NOT be present
expect: the OPT record to NOT be present expect: the OPT record to NOT be present
8.1.3.2. Testing AD=1 Queries 8.1.3.2. Testing AD=1 Queries
Ask for the SOA record of the configured zone. This query is made Ask for the SOA record of the configured zone. This query is made
with only the AD DNS flag bit set and all other DNS bits clear and with only the AD DNS flag bit set and all other DNS bits clear and
without EDNS. without EDNS.
We expect the SOA record for the zone to be returned in the answer We expect the SOA record for the zone to be returned in the answer
section with the rcode set to NOERROR and the AA and QR bits to be section, the rcode to be set to NOERROR, and the AA and QR bits to be
set in the response. We do not expect an OPT record to be returned. set in the header. We do not expect an OPT record to be returned.
The purpose of this query is to detect blocking of queries with the The purpose of this query is to detect blocking of queries with the
AD bit present, not the specific value of AD in the response. AD bit present, not the specific value of AD in the response.
Check that queries with AD=1 work: Check that queries with AD=1 work:
dig +noedns +norec +ad soa $zone @$server dig +noedns +norec +ad soa $zone @$server
expect: status: NOERROR expect: status: NOERROR
expect: the SOA record to be present in the answer section expect: the SOA record to be present in the answer section
expect: flag: aa to be present expect: flag: aa to be present
skipping to change at page 13, line 50 skipping to change at page 14, line 24
AD use in queries is defined in [RFC6840]. AD use in queries is defined in [RFC6840].
8.1.3.3. Testing Reserved Bit 8.1.3.3. Testing Reserved Bit
Ask for the SOA record of the configured zone. This query is made Ask for the SOA record of the configured zone. This query is made
with only the final reserved DNS flag bit set and all other DNS bits with only the final reserved DNS flag bit set and all other DNS bits
clear and without EDNS. clear and without EDNS.
We expect the SOA record for the zone to be returned in the answer We expect the SOA record for the zone to be returned in the answer
section with the rcode set to NOERROR and the AA and QR bits to be section, the rcode to be set to NOERROR, and the AA and QR bits to be
set in the response; RA may be set. The final reserved bit must not set in the header; RA may be set. The final reserved bit must not be
be set [RFC1034]. We do not expect an OPT record to be returned set [RFC1034]. We do not expect an OPT record to be returned
[RFC6891]. [RFC6891].
Check that queries with the last unassigned DNS header flag work and Check that queries with the last unassigned DNS header flag work and
that the flag bit is not copied to the response: that the flag bit is not copied to the response:
dig +noedns +noad +norec +zflag soa $zone @$server dig +noedns +noad +norec +zflag soa $zone @$server
expect: status: NOERROR expect: status: NOERROR
expect: the SOA record to be present in the answer section expect: the SOA record to be present in the answer section
expect: MBZ to NOT be in the response (see below) expect: MBZ to NOT be in the response (see below)
skipping to change at page 14, line 30 skipping to change at page 14, line 52
MBZ (Must Be Zero) is a dig-specific indication that the flag bit has MBZ (Must Be Zero) is a dig-specific indication that the flag bit has
been incorrectly copied. See Section 4.1.1, [RFC1035] "Z Reserved been incorrectly copied. See Section 4.1.1, [RFC1035] "Z Reserved
for future use. Must be zero in all queries and responses." for future use. Must be zero in all queries and responses."
8.1.3.4. Testing Recursive Queries 8.1.3.4. Testing Recursive Queries
Ask for the SOA record of the configured zone. This query is made Ask for the SOA record of the configured zone. This query is made
with only the RD DNS flag bit set and without EDNS. with only the RD DNS flag bit set and without EDNS.
We expect the SOA record for the zone to be returned in the answer We expect the SOA record for the zone to be returned in the answer
section with the rcode set to NOERROR and the AA, QR and RD bits to section, the rcode to be set to NOERROR, and the AA, QR and RD bits
be set in the response; RA may also be set [RFC1034]. We do not to be set in the header; RA may also be set [RFC1034]. We do not
expect an OPT record to be returned [RFC6891]. expect an OPT record to be returned [RFC6891].
Check that recursive queries work: Check that recursive queries work:
dig +noedns +noad +rec soa $zone @$server dig +noedns +noad +rec soa $zone @$server
expect: status: NOERROR expect: status: NOERROR
expect: the SOA record to be present in the answer section expect: the SOA record to be present in the answer section
expect: flag: aa to be present expect: flag: aa to be present
expect: flag: rd to be present expect: flag: rd to be present
skipping to change at page 15, line 19 skipping to change at page 15, line 38
expect: status: NOTIMP expect: status: NOTIMP
expect: opcode: 15 expect: opcode: 15
expect: all sections to be empty expect: all sections to be empty
expect: flag: aa to NOT be present expect: flag: aa to NOT be present
expect: flag: rd to NOT be present expect: flag: rd to NOT be present
expect: flag: ad to NOT be present expect: flag: ad to NOT be present
expect: the OPT record to NOT be present expect: the OPT record to NOT be present
8.1.5. Testing TCP 8.1.5. Testing TCP
Whether a server accepts TCP connections can be tested by first
checking that it responds to UDP queries to confirm that it is up and
operating, then attempting the same query over TCP. An additional
query should be made over UDP if the TCP connection attempt fails to
confirm that the server under test is still operating.
Ask for the SOA record of the configured zone. This query is made Ask for the SOA record of the configured zone. This query is made
with no DNS flag bits set and without EDNS. This query is to be sent with no DNS flag bits set and without EDNS. This query is to be sent
using TCP. using TCP.
We expect the SOA record for the zone to be returned in the answer We expect the SOA record for the zone to be returned in the answer
section with the rcode set to NOERROR and the AA and QR bits to be section, the rcode to be set to NOERROR, and the AA and QR bits to be
set in the response; RA may also be set [RFC1034]. We do not expect set in the header; RA may also be set [RFC1034]. We do not expect an
an OPT record to be returned [RFC6891]. OPT record to be returned [RFC6891].
Check that TCP queries work: Check that TCP queries work:
dig +noedns +noad +norec +tcp soa $zone @$server dig +noedns +noad +norec +tcp soa $zone @$server
expect: status: NOERROR expect: status: NOERROR
expect: the SOA record to be present in the answer section expect: the SOA record to be present in the answer section
expect: flag: aa to be present expect: flag: aa to be present
expect: flag: rd to NOT be present expect: flag: rd to NOT be present
expect: flag: ad to NOT be present expect: flag: ad to NOT be present
skipping to change at page 16, line 12 skipping to change at page 16, line 33
but fail to handle plain EDNS queries correctly so a plain EDNS query but fail to handle plain EDNS queries correctly so a plain EDNS query
is not a good indicator of lack of EDNS support. is not a good indicator of lack of EDNS support.
8.2.1. Testing Minimal EDNS 8.2.1. Testing Minimal EDNS
Ask for the SOA record of the configured zone. This query is made Ask for the SOA record of the configured zone. This query is made
with no DNS flag bits set. EDNS version 0 is used without any EDNS with no DNS flag bits set. EDNS version 0 is used without any EDNS
options or EDNS flags set. options or EDNS flags set.
We expect the SOA record for the zone to be returned in the answer We expect the SOA record for the zone to be returned in the answer
section with the rcode set to NOERROR and the AA and QR bits to be section, the rcode to be set to NOERROR, and the AA and QR bits to be
set in the response; RA may also be set [RFC1034]. We expect an OPT set in the header; RA may also be set [RFC1034]. We expect an OPT
record to be returned. There should be no EDNS flags present in the record to be returned. There should be no EDNS flags present in the
response. The EDNS version field should be 0 and there should be no response. The EDNS version field should be 0 and there should be no
EDNS options present [RFC6891]. EDNS options present [RFC6891].
Check that plain EDNS queries work: Check that plain EDNS queries work:
dig +nocookie +edns=0 +noad +norec soa $zone @$server dig +nocookie +edns=0 +noad +norec soa $zone @$server
expect: status: NOERROR expect: status: NOERROR
expect: the SOA record to be present in the answer section expect: the SOA record to be present in the answer section
skipping to change at page 16, line 40 skipping to change at page 17, line 13
enabled by default in BIND 9.11.0 (and later). enabled by default in BIND 9.11.0 (and later).
8.2.2. Testing EDNS Version Negotiation 8.2.2. Testing EDNS Version Negotiation
Ask for the SOA record of a zone the server is nominally configured Ask for the SOA record of a zone the server is nominally configured
to serve. This query is made with no DNS flag bits set. EDNS to serve. This query is made with no DNS flag bits set. EDNS
version 1 is used without any EDNS options or EDNS flags set. version 1 is used without any EDNS options or EDNS flags set.
We expect the SOA record for the zone to NOT be returned in the We expect the SOA record for the zone to NOT be returned in the
answer section with the extended rcode set to BADVERS and the QR bit answer section with the extended rcode set to BADVERS and the QR bit
to be set in the response; RA may also be set [RFC1034]. We expect to be set in the header; RA may also be set [RFC1034]. We expect an
an OPT record to be returned. There should be no EDNS flags present OPT record to be returned. There should be no EDNS flags present in
in the response. The EDNS version field should be 0 in the response the response. The EDNS version field should be 0 in the response as
as no other EDNS version has as yet been specified [RFC6891]. no other EDNS version has as yet been specified [RFC6891].
Check that EDNS version 1 queries work (EDNS supported): Check that EDNS version 1 queries work (EDNS supported):
dig +nocookie +edns=1 +noednsneg +noad +norec soa $zone @$server dig +nocookie +edns=1 +noednsneg +noad +norec soa $zone @$server
expect: status: BADVERS expect: status: BADVERS
expect: the SOA record to NOT be present in the answer section expect: the SOA record to NOT be present in the answer section
expect: an OPT record to be present in the additional section expect: an OPT record to be present in the additional section
expect: EDNS Version 0 in response expect: EDNS Version 0 in response
expect: flag: aa to NOT be present expect: flag: aa to NOT be present
skipping to change at page 17, line 29 skipping to change at page 17, line 42
8.2.3. Testing Unknown EDNS Options 8.2.3. Testing Unknown EDNS Options
Ask for the SOA record of the configured zone. This query is made Ask for the SOA record of the configured zone. This query is made
with no DNS flag bits set. EDNS version 0 is used without any EDNS with no DNS flag bits set. EDNS version 0 is used without any EDNS
flags. An EDNS option is present with a value that has not yet been flags. An EDNS option is present with a value that has not yet been
assigned by IANA. We have picked an unassigned code of 100 for the assigned by IANA. We have picked an unassigned code of 100 for the
example below. Any unassigned EDNS option code could have been example below. Any unassigned EDNS option code could have been
choosen for this test. choosen for this test.
We expect the SOA record for the zone to be returned in the answer We expect the SOA record for the zone to be returned in the answer
section with the rcode set to NOERROR and the AA and QR bits to be section, the rcode to be set to NOERROR, and the AA and QR bits to be
set in the response; RA may also be set [RFC1034]. We expect an OPT set in the header; RA may also be set [RFC1034]. We expect an OPT
record to be returned. There should be no EDNS flags present in the record to be returned. There should be no EDNS flags present in the
response. The EDNS version field should be 0 as EDNS versions other response. The EDNS version field should be 0 as EDNS versions other
than 0 are yet to be specified and there should be no EDNS options than 0 are yet to be specified and there should be no EDNS options
present as unknown EDNS options are supposed to be ignored by the present as unknown EDNS options are supposed to be ignored by the
server [RFC6891] Section 6.1.2. server [RFC6891] Section 6.1.2.
Check that EDNS queries with an unknown option work (EDNS supported): Check that EDNS queries with an unknown option work (EDNS supported):
dig +nocookie +edns=0 +noad +norec +ednsopt=100 soa $zone @$server dig +nocookie +edns=0 +noad +norec +ednsopt=100 soa $zone @$server
skipping to change at page 18, line 12 skipping to change at page 18, line 24
expect: flag: aa to be present expect: flag: aa to be present
expect: flag: ad to NOT be present expect: flag: ad to NOT be present
8.2.4. Testing Unknown EDNS Flags 8.2.4. Testing Unknown EDNS Flags
Ask for the SOA record of the configured zone. This query is made Ask for the SOA record of the configured zone. This query is made
with no DNS flag bits set. EDNS version 0 is used without any EDNS with no DNS flag bits set. EDNS version 0 is used without any EDNS
options. An unassigned EDNS flag bit is set (0x40 in this case). options. An unassigned EDNS flag bit is set (0x40 in this case).
We expect the SOA record for the zone to be returned in the answer We expect the SOA record for the zone to be returned in the answer
section with the rcode set to NOERROR and the AA and QR bits to be section, the rcode to be set to NOERROR, and the AA and QR bits to be
set in the response; RA may also be set [RFC1034]. We expect an OPT set in the header; RA may also be set [RFC1034]. We expect an OPT
record to be returned. There should be no EDNS flags present in the record to be returned. There should be no EDNS flags present in the
response as unknown EDNS flags are supposed to be ignored. The EDNS response as unknown EDNS flags are supposed to be ignored. The EDNS
version field should be 0 and there should be no EDNS options present version field should be 0 and there should be no EDNS options present
[RFC6891]. [RFC6891].
Check that EDNS queries with unknown flags work (EDNS supported): Check that EDNS queries with unknown flags work (EDNS supported):
dig +nocookie +edns=0 +noad +norec +ednsflags=0x40 soa $zone @$server dig +nocookie +edns=0 +noad +norec +ednsflags=0x40 soa $zone @$server
expect: status: NOERROR expect: status: NOERROR
skipping to change at page 18, line 42 skipping to change at page 19, line 7
been incorrectly copied as per Section 6.1.4, [RFC6891]. been incorrectly copied as per Section 6.1.4, [RFC6891].
8.2.5. Testing EDNS Version Negotiation With Unknown EDNS Flags 8.2.5. Testing EDNS Version Negotiation With Unknown EDNS Flags
Ask for the SOA record of the configured zone. This query is made Ask for the SOA record of the configured zone. This query is made
with no DNS flag bits set. EDNS version 1 is used without any EDNS with no DNS flag bits set. EDNS version 1 is used without any EDNS
options. An unassigned EDNS flag bit is set (0x40 in this case). options. An unassigned EDNS flag bit is set (0x40 in this case).
We expect the SOA record for the zone to NOT be returned in the We expect the SOA record for the zone to NOT be returned in the
answer section with the extended rcode set to BADVERS and the QR bit answer section with the extended rcode set to BADVERS and the QR bit
to be set in the response; RA may also be set [RFC1034]. We expect to be set in the header; RA may also be set [RFC1034]. We expect an
an OPT record to be returned. There should be no EDNS flags present OPT record to be returned. There should be no EDNS flags present in
in the response as unknown EDNS flags are supposed to be ignored. the response as unknown EDNS flags are supposed to be ignored. The
The EDNS version field should be 0 as EDNS versions other than 0 are EDNS version field should be 0 as EDNS versions other than 0 are yet
yet to be specified and there should be no EDNS options present to be specified and there should be no EDNS options present
[RFC6891]. [RFC6891].
Check that EDNS version 1 queries with unknown flags work (EDNS Check that EDNS version 1 queries with unknown flags work (EDNS
supported): supported):
dig +nocookie +edns=1 +noednsneg +noad +norec +ednsflags=0x40 soa \ dig +nocookie +edns=1 +noednsneg +noad +norec +ednsflags=0x40 soa \
$zone @$server $zone @$server
expect: status: BADVERS expect: status: BADVERS
expect: SOA record to NOT be present expect: SOA record to NOT be present
skipping to change at page 19, line 29 skipping to change at page 19, line 38
8.2.6. Testing EDNS Version Negotiation With Unknown EDNS Options 8.2.6. Testing EDNS Version Negotiation With Unknown EDNS Options
Ask for the SOA record of the configured zone. This query is made Ask for the SOA record of the configured zone. This query is made
with no DNS flag bits set. EDNS version 1 is used. An unknown EDNS with no DNS flag bits set. EDNS version 1 is used. An unknown EDNS
option is present. We have picked an unassigned code of 100 for the option is present. We have picked an unassigned code of 100 for the
example below. Any unassigned EDNS option code could have been example below. Any unassigned EDNS option code could have been
chosen for this test. chosen for this test.
We expect the SOA record for the zone to NOT be returned in the We expect the SOA record for the zone to NOT be returned in the
answer section with the extended rcode set to BADVERS and the QR bit answer section with the extended rcode set to BADVERS and the QR bit
to be set in the response; RA may also be set [RFC1034]. We expect to be set in the header; RA may also be set [RFC1034]. We expect an
an OPT record to be returned. There should be no EDNS flags present OPT record to be returned. There should be no EDNS flags present in
in the response. The EDNS version field should be 0 as EDNS versions the response. The EDNS version field should be 0 as EDNS versions
other than 0 are yet to be specified and there should be no EDNS other than 0 are yet to be specified and there should be no EDNS
options present [RFC6891]. options present [RFC6891].
Check that EDNS version 1 queries with unknown options work (EDNS Check that EDNS version 1 queries with unknown options work (EDNS
supported): supported):
dig +nocookie +edns=1 +noednsneg +noad +norec +ednsopt=100 soa \ dig +nocookie +edns=1 +noednsneg +noad +norec +ednsopt=100 soa \
$zone @$server $zone @$server
expect: status: BADVERS expect: status: BADVERS
skipping to change at page 20, line 15 skipping to change at page 20, line 29
8.2.7. Testing Truncated Responses 8.2.7. Testing Truncated Responses
Ask for the DNSKEY records of the configured zone, which must be a Ask for the DNSKEY records of the configured zone, which must be a
DNSSEC signed zone. This query is made with no DNS flag bits set. DNSSEC signed zone. This query is made with no DNS flag bits set.
EDNS version 0 is used without any EDNS options. The only EDNS flag EDNS version 0 is used without any EDNS options. The only EDNS flag
set is DO. The EDNS UDP buffer size is set to 512. The intention of set is DO. The EDNS UDP buffer size is set to 512. The intention of
this query is to elicit a truncated response from the server. Most this query is to elicit a truncated response from the server. Most
signed DNSKEY responses are bigger than 512 bytes. This test will signed DNSKEY responses are bigger than 512 bytes. This test will
not give a valid result if the zone is not signed. not give a valid result if the zone is not signed.
We expect a response with the rcode set to NOERROR and the AA and QR We expect a response, the rcode to be set to NOERROR, and the AA and
bits to be set, AD may be set in the response if the server supports QR bits to be set, AD may be set in the response if the server
DNSSEC otherwise it should be clear; TC and RA may also be set supports DNSSEC otherwise it should be clear; TC and RA may also be
[RFC1035] [RFC4035]. We expect an OPT record to be present in the set [RFC1035] [RFC4035]. We expect an OPT record to be present in
response. There should be no EDNS flags other than DO present in the the response. There should be no EDNS flags other than DO present in
response. The EDNS version field should be 0 and there should be no the response. The EDNS version field should be 0 and there should be
EDNS options present [RFC6891]. no EDNS options present [RFC6891].
If TC is not set it is not possible to confirm that the server If TC is not set it is not possible to confirm that the server
correctly adds the OPT record to the truncated responses or not. correctly adds the OPT record to the truncated responses or not.
dig +norec +dnssec +bufsize=512 +ignore dnskey $zone @$server dig +norec +dnssec +bufsize=512 +ignore dnskey $zone @$server
expect: NOERROR expect: NOERROR
expect: OPT record with version set to 0 expect: OPT record with version set to 0
8.2.8. Testing DO=1 Handling 8.2.8. Testing DO=1 Handling
Ask for the SOA record of the configured zone, which does not need to Ask for the SOA record of the configured zone, which does not need to
be DNSSEC signed. This query is made with no DNS flag bits set. be DNSSEC signed. This query is made with no DNS flag bits set.
EDNS version 0 is used without any EDNS options. The only EDNS flag EDNS version 0 is used without any EDNS options. The only EDNS flag
set is DO. set is DO.
We expect the SOA record for the zone to be returned in the answer We expect the SOA record for the zone to be returned in the answer
section with the rcode set to NOERROR and the AA and QR bits to be section, the rcode to be set to NOERROR, and the AA and QR bits to be
set in the response, AD may be set in the response if the server set in the response, AD may be set in the response if the server
supports DNSSEC otherwise it should be clear; RA may also be set supports DNSSEC otherwise it should be clear; RA may also be set
[RFC1034]. We expect an OPT record to be returned. There should be [RFC1034]. We expect an OPT record to be returned. There should be
no EDNS flags other than DO present in the response which should be no EDNS flags other than DO present in the response which should be
present if the server supports DNSSEC. The EDNS version field should present if the server supports DNSSEC. The EDNS version field should
be 0 and there should be no EDNS options present [RFC6891]. be 0 and there should be no EDNS options present [RFC6891].
Check that DO=1 queries work (EDNS supported): Check that DO=1 queries work (EDNS supported):
dig +nocookie +edns=0 +noad +norec +dnssec soa $zone @$server dig +nocookie +edns=0 +noad +norec +dnssec soa $zone @$server
skipping to change at page 21, line 24 skipping to change at page 21, line 30
expect: flag: aa to be present expect: flag: aa to be present
8.2.9. Testing EDNS Version Negotiation With DO=1 8.2.9. Testing EDNS Version Negotiation With DO=1
Ask for the SOA record of the configured zone, which does not need to Ask for the SOA record of the configured zone, which does not need to
be DNSSEC signed. This query is made with no DNS flag bits set. be DNSSEC signed. This query is made with no DNS flag bits set.
EDNS version 1 is used without any EDNS options. The only EDNS flag EDNS version 1 is used without any EDNS options. The only EDNS flag
set is DO. set is DO.
We expect the SOA record for the zone to NOT be returned in the We expect the SOA record for the zone to NOT be returned in the
answer section with the rcode set to BADVERS; the QR bit and possibly answer section, the rcode to be set to NOERROR, ; the QR bit and
the RA bit to be set [RFC1034]. We expect an OPT record to be possibly the RA bit to be set [RFC1034]. We expect an OPT record to
returned. There should be no EDNS flags other than DO present in the be returned. There should be no EDNS flags other than DO present in
response which should be there if the server supports DNSSEC. The the response which should be there if the server supports DNSSEC.
EDNS version field should be 0 and there should be no EDNS options The EDNS version field should be 0 and there should be no EDNS
present [RFC6891]. options present [RFC6891].
Check that EDNS version 1, DO=1 queries work (EDNS supported): Check that EDNS version 1, DO=1 queries work (EDNS supported):
dig +nocookie +edns=1 +noednsneg +noad +norec +dnssec soa \ dig +nocookie +edns=1 +noednsneg +noad +norec +dnssec soa \
$zone @$server $zone @$server
expect: status: BADVERS expect: status: BADVERS
expect: SOA record to NOT be present expect: SOA record to NOT be present
expect: an OPT record to be present in the additional section expect: an OPT record to be present in the additional section
expect: DO=1 to be present if the EDNS version 0 DNSSEC query test expect: DO=1 to be present if the EDNS version 0 DNSSEC query test
skipping to change at page 21, line 52 skipping to change at page 22, line 13
expect: flag: aa to NOT be present expect: flag: aa to NOT be present
8.2.10. Testing With Multiple Defined EDNS Options 8.2.10. Testing With Multiple Defined EDNS Options
Ask for the SOA record of the configured zone. This query is made Ask for the SOA record of the configured zone. This query is made
with no DNS flag bits set. EDNS version 0 is used. A number of with no DNS flag bits set. EDNS version 0 is used. A number of
defined EDNS options are present (NSID [RFC5001], DNS COOKIE defined EDNS options are present (NSID [RFC5001], DNS COOKIE
[RFC7873], EDNS Client Subnet [RFC7871] and EDNS Expire [RFC7314]). [RFC7873], EDNS Client Subnet [RFC7871] and EDNS Expire [RFC7314]).
We expect the SOA record for the zone to be returned in the answer We expect the SOA record for the zone to be returned in the answer
section with the rcode set to NOERROR and the AA and QR bits to be section, the rcode to be set to NOERROR, and the AA and QR bits to be
set in the response; RA may also be set [RFC1034]. We expect an OPT set in the header; RA may also be set [RFC1034]. We expect an OPT
record to be returned. There should be no EDNS flags present in the record to be returned. There should be no EDNS flags present in the
response. The EDNS version field should be 0. Any of the requested response. The EDNS version field should be 0. Any of the requested
EDNS options supported by the server and permitted server EDNS options supported by the server and permitted server
configuration may be returned [RFC6891]. configuration may be returned [RFC6891].
Check that EDNS queries with multiple defined EDNS options work: Check that EDNS queries with multiple defined EDNS options work:
dig +edns=0 +noad +norec +cookie +nsid +expire +subnet=0.0.0.0/0 \ dig +edns=0 +noad +norec +cookie +nsid +expire +subnet=0.0.0.0/0 \
soa $zone @$server soa $zone @$server
 End of changes. 34 change blocks. 
81 lines changed or deleted 100 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/