[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
QWEST you have broken DNS servers
Yes please.
> On 13 Sep 2018, at 2:45 am, Anne P. Mitchell, Esq. <amitchell at isipp.com> wrote:
>
>
> Would you like us to send this to our Qwest/CenturyLink contact?
>
> Anne P. Mitchell,
> Attorney at Law
> GDPR, CCPA (CA) & CCDPA (CO) Compliance Consultant
> Author: Section 6 of the CAN-SPAM Act of 2003 (the Federal anti-spam law)
> Legislative Consultant
> CEO/President, Institute for Social Internet Public Policy
> Legal Counsel: The CyberGreen Institute
> Legal Counsel: The Earth Law Center
> Member, California Bar Association
> Member, Cal. Bar Cyberspace Law Committee
> Member, Colorado Cyber Committee
> Member, Board of Directors, Asilomar Microcomputer Workshop
> Ret. Professor of Law, Lincoln Law School of San Jose
> Ret. Chair, Asilomar Microcomputer Workshop
>
>
>
>>
>> I know it takes some time to upgrade DNS servers to ones that are actually
>> protocol compliant but 4+ years is ridiculous. Your servers are the only
>> ones serving the Alexa top 1M sites or the GOV zone that still return BADVERS
>> to EDNS queries with a EDNS option present. This was behaviour made up by
>> your DNS vendor. The correct response to EDNS options that are not understood
>> is to IGNORE them. This allows clients and servers to deploy support for
>> new options independently of each other.
>>
>> Additionally this is breaking DNSSEC validation of the signed zones your clients
>> have you serving. They expect you to be using EDNS compliant name servers for
>> this role which you are not. No, we are not working around this breakage in the
>> resolver.
>>
>> Mark
>>
>> % dig soa frc.gov. @208.44.130.121 +norec
>>
>> ; <<>> DiG 9.12.1 <<>> soa frc.gov. @208.44.130.121 +norec
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: BADVERS, id: 59707
>> ;; flags: qr ad; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>>
>> ;; OPT PSEUDOSECTION:
>> ; EDNS: version: 0, flags:; udp: 4096
>> ;; Query time: 66 msec
>> ;; SERVER: 208.44.130.121#53(208.44.130.121)
>> ;; WHEN: Tue Sep 11 06:08:41 UTC 2018
>> ;; MSG SIZE rcvd: 23
>>
>> % dig soa frc.gov. @208.44.130.121 +norec +nocookie
>>
>> ; <<>> DiG 9.12.1 <<>> soa frc.gov. @208.44.130.121 +norec +nocookie
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16876
>> ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
>>
>> ;; OPT PSEUDOSECTION:
>> ; EDNS: version: 0, flags:; udp: 4096
>> ;; QUESTION SECTION:
>> ;frc.gov. IN SOA
>>
>> ;; ANSWER SECTION:
>> frc.gov. 86400 IN SOA sauthns2.qwest.net. dns-admin.qwestip.net. 2180320527 10800 3600 604800 86400
>>
>> ;; AUTHORITY SECTION:
>> frc.gov. 86400 IN NS sauthns1.qwest.net.
>> frc.gov. 86400 IN NS sauthns2.qwest.net.
>>
>> ;; Query time: 66 msec
>> ;; SERVER: 208.44.130.121#53(208.44.130.121)
>> ;; WHEN: Tue Sep 11 06:19:33 UTC 2018
>> ;; MSG SIZE rcvd: 145
>>
>> % grep ednsopt=badvers reports/alexa1m.2018-08-26T00:00:06Z | grep edns=ok | awk '{print $3}' | sort -u
>> (sauthns1.qwest.net.):
>> (sauthns2.qwest.net.):
>> % grep ednsopt=badvers reports-full/gov-full.2018-09-11T00:00:06Z | grep edns=ok | awk '{print $3}' | sort -u
>> (sauthns1.qwest.net.):
>> (sauthns2.qwest.net.):
>> %
>>
>> --
>> Mark Andrews, ISC
>> 1 Seymour St., Dundas Valley, NSW 2117, Australia
>> PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
>>
>
>
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org