[j-nsp] DNS Flag Day

Sander Steffann sander at steffann.nl
Fri Jan 25 06:10:55 EST 2019


Hi,

When doing some investigation for the upcoming DNS Flag Day (https://dnsflagday.net: February 1st 2019) I got some bad news from one of the service providers: they use Juniper SRX firewalls, and claim that they can't properly support EDNS because of a bug in their SRX firewalls. This seems outrageous to me. Is this just because they haven't upgraded their JunOS for years, they're running ancient DNS server software, or is there really a problem?

I didn't get any more information from them, just "it's because of Juniper". An example test can be seen here: https://ednscomp.isc.org/ednscomp/704c5b6649:

> Checking: 'computel.nl' as at 2019-01-25T11:05:00Z
> 
> computel.nl. @83.137.17.10 (ns2.computel.nl.): dns=ok edns=ok edns1=timeout edns at 512=ok ednsopt=ok edns1opt=timeout do=ok ednsflags=ok docookie=ok edns512tcp=ok optlist=timeout 
> computel.nl. @2001:4038:0:17::10 (ns2.computel.nl.): dns=ok edns=ok edns1=timeout edns at 512=ok ednsopt=ok edns1opt=timeout do=ok ednsflags=ok docookie=ok edns512tcp=ok optlist=timeout 
> 
> computel.nl. @83.137.20.153 (ns3.computel-standby.eu.): dns=ok edns=ok edns1=ok edns at 512=ok ednsopt=ok edns1opt=ok do=ok ednsflags=ok docookie=ok edns512tcp=ok optlist=ok,nsid (ns3.computel-standby.eu)
> computel.nl. @2001:4038:0:21::153 (ns3.computel-standby.eu.): dns=ok edns=ok edns1=ok edns at 512=ok ednsopt=ok edns1opt=ok do=ok ednsflags=ok docookie=ok edns512tcp=ok optlist=ok,nsid (ns3.computel-standby.eu)
> 
> computel.nl. @83.137.20.10 (ns1.computel.nl.): dns=ok edns=ok edns1=timeout edns at 512=ok ednsopt=ok edns1opt=timeout do=ok ednsflags=ok docookie=ok edns512tcp=ok optlist=timeout 
> computel.nl. @2001:4038:0:20::10 (ns1.computel.nl.): dns=ok edns=ok edns1=timeout edns at 512=ok ednsopt=ok edns1opt=timeout do=ok ednsflags=ok docookie=ok edns512tcp=ok optlist=timeout 

I am wondering what's going on here, and whether there is really a bug in JunOS on SRX or whether it's just "easiest to blame the firewall"...

Cheers!
Sander



More information about the juniper-nsp mailing list