[j-nsp] DNS Flag Day

Niall Donaghy niall.donaghy at geant.org
Fri Jan 25 07:47:32 EST 2019


One of our SRXes was blocking EDNSv1, and so we disabled the DNS ALG to
resolve our issue; this might be a prudent approach depending on your
environment.
Not sure this will help the OP as the device(s) in question are outside
their administrative domain. :)

HTH,
Niall

-----Original Message-----
From: juniper-nsp [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of
Havard Eidnes
Sent: 25 January 2019 12:42
To: chs at ip4.de
Cc: juniper-nsp at puck.nether.net
Subject: Re: [j-nsp] DNS Flag Day

> What they told you sounds like bullshit to me. From 10.2 on there are 
> no special settings required. Maybe they don't know how to do it?
> 
> So I guess they are just very lazy or don't know better and blame the 
> firewall... I pray for you that they don't run Code below 10.2...
>
> https://kb.juniper.net/InfoCenter/index?page=content&id=KB23569&cat=SR
> X_5600_1&actp=LIST

I'm guessing this isn't it.

If you inspect the error report at

  https://ednscomp.isc.org/ednscomp/704c5b6649

it's quite clear that the test probes for support for EDNS version 1, and
expects a "bad version" response, but is instead met with a DNS query
time-out, indicating that an intermediate box has blocked either the query
(most likely) or the response.

Not responding with "bad version" violates a MUST requirement of section
6.1.3 in RFC 6891, and is likely to be an impediment to actually develop &
deploy EDNS version 1 (not yet standardized), and makes efficient EDNS
version support negotiation impossible.

It's conceivable this is PR1379433, "DNS requests with EDNS options might be
dropped by DNS ALG", fixed-in 15.1X49-D160
17.4R3 18.1R3 18.2R2 18.3R1 18.4R1.

Regards,

- Håvard
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp


More information about the juniper-nsp mailing list