Re: [DNSOP] RFC 6891 Clarification (EDNS=1 and higher behaviour)
Mark Andrews <marka@isc.org> Mon, 15 September 2014 23:53 UTC
Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ED9721A005A for <dnsop@ietfa.amsl.com>; Mon, 15 Sep 2014 16:53:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.953
X-Spam-Level:
X-Spam-Status: No, score=-4.953 tagged_above=-999 required=5 tests=[BAYES_50=0.8, J_CHICKENPOX_57=0.6, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-1.652, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id plbVyGyGGLp1 for <dnsop@ietfa.amsl.com>; Mon, 15 Sep 2014 16:53:04 -0700 (PDT)
Received: from mx.ams1.isc.org (mx.ams1.isc.org [199.6.1.65]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 33E6F1A0041 for <dnsop@ietf.org>; Mon, 15 Sep 2014 16:53:04 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) by mx.ams1.isc.org (Postfix) with ESMTP id D4CCE1FCC2E; Mon, 15 Sep 2014 23:53:00 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 67FC9160055; Mon, 15 Sep 2014 23:55:48 +0000 (UTC)
Received: from rock.dv.isc.org (c211-30-183-50.carlnfd1.nsw.optusnet.com.au [211.30.183.50]) by zmx1.isc.org (Postfix) with ESMTPSA id 325A1160052; Mon, 15 Sep 2014 23:55:48 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id 2EBBA1F73BF5; Tue, 16 Sep 2014 09:52:57 +1000 (EST)
To: Ondřej Surý <ondrej.sury@nic.cz>
From: Mark Andrews <marka@isc.org>
References: <160445486.13485.1410793741990.JavaMail.zimbra@nic.cz>
In-reply-to: Your message of "Mon, 15 Sep 2014 17:09:01 +0200." <160445486.13485.1410793741990.JavaMail.zimbra@nic.cz>
Date: Tue, 16 Sep 2014 09:52:57 +1000
Message-Id: <20140915235257.2EBBA1F73BF5@rock.dv.isc.org>
Archived-At: http://mailarchive.ietf.org/arch/msg/dnsop/9vY474Jd8aLo-v7AYpKkEcK7HaM
Cc: dnsop@ietf.org
Subject: Re: [DNSOP] RFC 6891 Clarification (EDNS=1 and higher behaviour)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Sep 2014 23:53:06 -0000
In message <160445486.13485.1410793741990.JavaMail.zimbra@nic.cz>, =?utf-8?Q?On d=C5=99ej_Sur=C3=BD?= writes: > Hey all, > > we have received a notice that Knot DNS adds an > answer in case the EDNS=1 (and higher) in the > response where RCODE=BADVERS (and OPT EDNS=0). > > The RFC 6891 doesn't forbid such behaviour: > > If a responder does not implement the VERSION level of the > request, then it MUST respond with RCODE=BADVERS. All responses > MUST be limited in format to the VERSION level of the request, but > the VERSION of each response SHOULD be the highest implementation > level of the responder. In this way, a requestor will learn the > implementation level of a responder as a side effect of every > response, including error responses and including RCODE=BADVERS. > > And in fact we think this might be a more > forward compatible behaviour than returning > an empty response with RCODE=BADVERS. > > (Sending it here as dnsext is concluded...) > > Cheers, > -- > Ondej Sur -- Chief Science Officer > ------------------------------------------- > CZ.NIC, z.s.p.o. -- Laboratoe CZ.NIC > Americka 23, 120 00 Praha 2, Czech Republic > mailto:ondrej.sury@nic.cz http://nic.cz/ > ------------------------------------------- > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop Just setting BADVERS does not work for negative responses. You cannot distingish between a NOERROR NODATA and a NXDOMAIN response by just looking at the contents of the answer and authority sections unless you also include the DNSSEC records. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
- [DNSOP] RFC 6891 Clarification (EDNS=1 and higher… Ondřej Surý
- Re: [DNSOP] RFC 6891 Clarification (EDNS=1 and hi… Mark Andrews