edns compliance
play

EDNS Compliance Mark Andrews marka@isc.org Motivation Deployed - PowerPoint PPT Presentation

Mar 09, 2024 •228 likes •485 views

EDNS Compliance Mark Andrews marka@isc.org Motivation Deployed Experimental Version of DNS COOKIES (SIT) in BIND 9.10.0 Lookups for various zones failed due to mis-implemention of EDNS Trial and Error Takes time especially when requests

  1. EDNS Compliance Mark Andrews marka@isc.org

  2. Motivation Deployed Experimental Version of DNS COOKIES (SIT) in BIND 9.10.0 Lookups for various zones failed due to mis-implemention of EDNS

  3. Trial and Error Takes time especially when requests are dropped New EDNS option are not the only EDNS extensions people are wishing to use. Decided to see what mis-behaviour is out there.

  4. DataSets ● Root and TLD servers ● Alexa Top 1000 ● Alexa Bottom 1000 of Top 1Million ● GOV servers from Alexa Top 1Million ● AU servers from Alexa Top 1Million

  5. Methodology dig +norec +noedns soa zone @server dig +norec +edns=0 soa zone @server dig +norec +edns=1 +noednsneg soa zone @server dig +norec +ednsopt=100 soa zone @server dig +norec +ednsflags=0x80 soa zone @server dig +norec +dnssec soa zone @server dig +norec +dnssec +bufsize=512 +ignore dnskey zone @server dig +norec +edns=1 +noednsneg +ednsopt=100 soa zone @server

  6. Faults Detected 1/2 ● OPT only returned when DO=1 is present in the request ● BADVER not returned to EDNS (1) ● NOTIMP returned when a EDNS option is present ● FORMERR returned when a EDNS option is present ● BADVERS returned when a EDNS option is present ● NOTIMP returned when a EDNS Z flag is present ● FORMERR returned when a EDNS Z flag is present ● BADVERS returned when a EDNS Z flag is present ● EDNS option echoed back

  7. Faults Detected 2/2 ● OPT not returned in truncated response ● EDNS (1) queries being dropped ● EDNS queries with a Z bit being dropped ● EDNS Z bits in queries echoed back ● TCP response size limited to EDNS UPD response size ● Truncated UDP response when send when response will not fit ● Fragmented responses being blocked ● DO=1 not returned by DNSSEC aware servers

  8. EDNS Aware Servers - 18 Mar 2015 100 EDNS Aware 99.63 98.01 95.8 95.73 88.64 75 50 % 25 0 TLD Top Bottom GOV AU Data Subset

  9. EDNS Compliance Report: 2015-03-19T05:19:26Z Percentage of responding servers that are EDNS aware 100 Root and TLD Servers Alexa Top 1000 Servers 95 Alexa Bottom 1000 Servers Alexa .GOV Servers 90 Alexa .AU Servers 85 80 Sep 2014 Oct 2014 Nov 2014 Dec 2014 Jan 2015 Feb 2015 Mar 2015 A EDNS aware server is one which returns a EDNS response to at least one of the test queries. A active server is one which returns a response to one of the test queries. Inactive servers are discarded when calculating the EDNS aware percentages. 2014-09-11: Cloudflare replaced server software which only returned a EDNS response when DO was set to one in the request to a server which ignores EDNS in the request. 2014-10-10: Stopped setting AD=1 in test queries. 2014-10-29: Cloudflare restored EDNS support.

  10. EDNS Compliance by Function - 18 Mar 2015 100 EDNS 0 Truncated Response DNSSEC 75 Unknown Option Unknown Flag EDNS 1 50 % Fully Compliant 25 0 TLD Top Bottom GOV AU Data Subset

  11. EDNS Compliance Report: 2015-03-19T07:46:51Z Percentage of EDNS aware servers that passed all EDNS compliance tests 100 Root and TLD Servers Alexa Top 1000 90 Servers Alexa Bottom 1000 Servers 80 Alexa .GOV Servers Alexa .AU 70 Servers 60 50 Sep 2014 Oct 2014 Nov 2014 Dec 2014 Jan 2015 Feb 2015 Mar 2015

  12. EDNS Compliance Report: 2015-03-19T05:19:26Z Percentage of EDNS aware servers that handled unknown EDNS(0) options correctly 100 Root and TLD Servers Alexa Top 1000 Servers 95 Alexa Bottom 1000 Servers Alexa .GOV Servers 90 Alexa .AU Servers 85 80 Sep 2014 Oct 2014 Nov 2014 Dec 2014 Jan 2015 Feb 2015 Mar 2015 ( dig +ednsopt=100 +norec soa $zone @$server ) expect: status: NOERROR expect: SOA record to be present expect: OPT record to be present expect: OPT=100 to not be present See RFC6891, 6.1.2 Wire Format

  13. EDNS Compliance Report: 2015-03-19T07:46:51Z Percentage of EDNS aware servers that handled unknown EDNS(1) options correctly 100 Root and TLD Servers Alexa Top 1000 Servers 90 Alexa Bottom 1000 Servers Alexa .GOV 80 Servers Alexa .AU Servers 70 60 Sep 2014 Oct 2014 Nov 2014 Dec 2014 Jan 2015 Feb 2015 Mar 2015 ( dig +ednsopt=100 +edns=1 +norec soa $zone @$server ) expect: status: BADVERS expect: SOA record to NOT be present expect: OPT record to be present expect: OPT=100 to not be present expect: EDNS Version 0 in response See RFC6891

  14. EDNS Response Rate by Function - 18 Mar 2015 100 EDNS 0 Truncated Response DNSSEC 75 Unknown Option Unknown Flag EDNS 1 50 % 25 0 TLD Top Bottom GOV AU Data Subset

  15. EDNS Compliance Report: 2015-03-19T05:19:26Z Percentage of responding servers that responded to a EDNS(0) request with a unknown option 100 Root and TLD Servers Alexa Top 1000 Servers 98 Alexa Bottom 1000 Servers Alexa .GOV Servers 96 Alexa .AU Servers 94 92 Sep 2014 Oct 2014 Nov 2014 Dec 2014 Jan 2015 Feb 2015 Mar 2015

  16. EDNS Compliance Report: 2015-03-19T05:19:26Z Percentage of responding servers that responded to a plain EDNS(1) request 100 Root and TLD Servers Alexa Top 1000 Servers 94 Alexa Bottom 1000 Servers Alexa .GOV Servers 88 Alexa .AU Servers 82 76 Sep 2014 Oct 2014 Nov 2014 Dec 2014 Jan 2015 Feb 2015 Mar 2015 2014-10-12 - 2014-10-15: Domaincontrol removed the firewall blocking EDNS version 1 and EDNS flags.

  17. EDNS Compliance Report: 2015-03-19T05:19:26Z Percentage of responding servers that responded to a EDNS(0) request with a unknown flags 100.0 Root and TLD Servers Alexa Top 1000 Servers 97.5 Alexa Bottom 1000 Servers Alexa .GOV Servers 95.0 Alexa .AU Servers 92.5 90.0 Sep 2014 Oct 2014 Nov 2014 Dec 2014 Jan 2015 Feb 2015 Mar 2015 2014-10-12 - 2014-10-15: Domaincontrol removed the firewall blocking EDNS version 1 and EDNS flags.

  18. EDNS Compliance Report: 2015-03-19T05:19:26Z Root and TLD EDNS(1) Failure Reasons 10.0 refused,version timeout soa status 7.5 status,version, soa version 5.0 status,version status,soa 2.5 0.0 Sep 2014 Oct 2014 Nov 2014 Dec 2014 Jan 2015 Feb 2015 Mar 2015

  19. EDNS Compliance Report: 2015-03-19T05:19:26Z Root and TLD EDNS(0) Unknown Flags Failure Reasons 10.0 version mbz timeout nosoa 7.5 servfail,nosoa status,version, nosoa 5.0 refused,nosoa 2.5 0.0 Sep 2014 Oct 2014 Nov 2014 Dec 2014 Jan 2015 Feb 2015 Mar 2015 2014-09-14: operators returning unknown flags informed.

  20. EDNS Compliance Report: 2015-03-19T05:19:26Z Root and TLD EDNS(0) Unknown Option Failure Reasons 1.2 badvers,nosoa timeout status,echoed badvers 0.9 formerr,echoed, nosoa servfail 0.6 status,version version status 0.3 formerr,echoed nosoa status,version,… servfail,nosoa 0.0 Sep 2014 Oct 2014 Nov 2014 Dec 2014 Jan 2015 Feb 2015 Mar 2015

  21. EDNS Compliance Report: 2015-03-19T05:19:26Z Root and TLD Firewalls by Type 10.0 EDNS(1) EDNS(0) EDNS opt EDNS opt + 7.5 EDNS(1) Combined EDNS opt + 5.0 FLAGS EDNS(1) + FLAGS EDNS opt + 2.5 EDNS(1) + FLAGS 0.0 Sep 2014 Oct 2014 Nov 2014 Dec 2014 Jan 2015 Feb 2015 Mar 2015 EDNS(0) all EDNS queries have timeout and there was a response to the plain DNS query EDNS(1) only the two EDNS version 1 queries timeout EDNS(1) + FLAGS the two EDNS version 1 queries timeout as well as the unknown EDNS flags query

  22. Where Next ● Extend draft-andrews-no-response-issue (Working group adoption?) ● Contact Firewall Vendors ● Contact Nameserver Vendors ● Contact Zone Owners / DNS hosters ● Convince TLD/SLD operators to run regular checks ● Add to online DNS checkers.

  23. TLDs already involved SWITCH – CH and LI .IE

  24. More Information ● http://users.isc.org/~marka/ts.html ● http://users.isc.org/~marka/tld-report.html ● http://users.isc.org/~marka/gov-report.html ● http://users.isc.org/~marka/au-report.html ● http://users.isc.org/~marka/alexa-report.html ● http://users.isc.org/~marka/bottom-report.html ● https://source.isc.org

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Exploring EDNS-Client-Subnet Adopters in Your Free Time IMC 2013, Barcelona Florian Streibelt

Exploring EDNS-Client-Subnet Adopters in Your Free Time IMC 2013, Barcelona Florian Streibelt

Exploring EDNS-Client-Subnet Adopters in Your Free Time IMC 2013, Barcelona Florian Streibelt <florian@inet.tu-berlin.de> TU-Berlin, Germany - FG INET www.inet.tu-berlin.de October 24th 2013 Florian Streibelt, Jan B ottger, Nikolaos

881 views • 21 slides
Testing Over 1000 gTLDs for EDNS0 Or A Funny Thing Happened on the Way to the Testing Room Edward

Testing Over 1000 gTLDs for EDNS0 Or A Funny Thing Happened on the Way to the Testing Room Edward

Testing Over 1000 gTLDs for EDNS0 Or A Funny Thing Happened on the Way to the Testing Room Edward Lewis ICANN FOSDEM 2019/DNS Developer Room 3 February 2019 | 1 My Experience with the ISC EDNS Compliance Test Code 10,973,106,002 calls to

727 views • 33 slides
Compliance Overview and Compliance by Design [CbD] aka Doing the Right Things at the Right

Compliance Overview and Compliance by Design [CbD] aka Doing the Right Things at the Right

Compliance Overview and Compliance by Design [CbD] aka Doing the Right Things at the Right Time ASQ Meeting, 14 August 2012, Santa Ana, CA Dr. Raymond W. Brullo, DPM Compliance Officer , FDA Los Angeles District Office, Irvine, CA Doctor

516 views • 40 slides
Compliance Plans Kelly S. McIntosh July 20, 2017 Roadmap The importance of compliance and

Compliance Plans Kelly S. McIntosh July 20, 2017 Roadmap The importance of compliance and

Compliance Plans Kelly S. McIntosh July 20, 2017 Roadmap The importance of compliance and compliance programs Common compliance issues know your risk areas! Guidance for drafting or updating your compliance plan Elements of

1.16k views • 50 slides
OFFICE OF UNIVERSITY COMPLIANCE OFFICE OF UNIVERSITY COMPLIANCE Who We Are: Joint Audit and

OFFICE OF UNIVERSITY COMPLIANCE OFFICE OF UNIVERSITY COMPLIANCE Who We Are: Joint Audit and

OFFICE OF UNIVERSITY COMPLIANCE OFFICE OF UNIVERSITY COMPLIANCE Who We Are: Joint Audit and Compliance Committee President Kimberly Fearney Associate Vice President & Chief Compliance Officer Liz Vitullo Executive Assistant Omar

127 views • 8 slides
Education Governance & Compliance Committee April 6, 2018 What is Compliance?

Education Governance & Compliance Committee April 6, 2018 What is Compliance?

Compliance in Higher Education Governance & Compliance Committee April 6, 2018 What is Compliance? Conformity in fulfilling official requirements * Certification or confirmation that the doer of an actionmeets the

506 views • 14 slides
COMPLIANCE 2.0 RANDS CONTRIBUTION TO THE EVOLUTION OF CORPORATE COMPLIANCE AND NEXT STEPS

COMPLIANCE 2.0 RANDS CONTRIBUTION TO THE EVOLUTION OF CORPORATE COMPLIANCE AND NEXT STEPS

COMPLIANCE 2.0 RANDS CONTRIBUTION TO THE EVOLUTION OF CORPORATE COMPLIANCE AND NEXT STEPS PREPARED FOR: RAND CENTER FOR CORPORATE ETHICS AND GOVERNANCE ADVISORY BOARD PANEL : DONNA BOEHME PRINCIPAL, COMPLIANCE STRATEGISTS LLC MICHAEL

526 views • 13 slides
Corporate Compliance Programs: Weaving an Effective Compliance Web Simply put, corporate

Corporate Compliance Programs: Weaving an Effective Compliance Web Simply put, corporate

Corporate Compliance Programs: Weaving an Effective Compliance Web Simply put, corporate compliance programs are designed to prevent and detect violations of the law. Compliance programs make good business sense because they: reduce the

144 views • 12 slides
Fleet Compliance Awareness Workshop Compliance Questions Fleet Compliance Awareness Workshop

Fleet Compliance Awareness Workshop Compliance Questions Fleet Compliance Awareness Workshop

Fleet Compliance Awareness Workshop Compliance Questions Fleet Compliance Awareness Workshop Question 1 Q 1. When is the best time to carry out a daily vehicle check? [ a ] During a break [ b ] When the engine is running [ c ] Upon taking the

1.11k views • 69 slides
Achieving Compliance through Strategic Compliance Planning Symposium on Strategic Compliance in

Achieving Compliance through Strategic Compliance Planning Symposium on Strategic Compliance in

Achieving Compliance through Strategic Compliance Planning Symposium on Strategic Compliance in Indonesia through the Labour Inspection System Nancy Leppink Chief Labour Administration/Labour Inspection/ Occupational Safety and Health

605 views • 28 slides
COMPLIANCE CHARTER G A R Y N I M A X A S S I S T A N T V I C E P R E S I D E N T F O R C O

COMPLIANCE CHARTER G A R Y N I M A X A S S I S T A N T V I C E P R E S I D E N T F O R C O

COMPLIANCE CHARTER G A R Y N I M A X A S S I S T A N T V I C E P R E S I D E N T F O R C O M P L I A N C E U.S. Federal Sentencing Guidelines The compliance programs objective is to establish and promote standards that meet these seven

394 views • 4 slides
Compliance for Experts June 27, 2012 Presenters John Misgen, CPA Senior Compliance

Compliance for Experts June 27, 2012 Presenters John Misgen, CPA Senior Compliance

Bank Secrecy Act Compliance for Experts June 27, 2012 Presenters John Misgen, CPA Senior Compliance Consultant with CliftonLarsonAllen LLP for more than six years Has provided regulatory compliance assistance, including

605 views • 41 slides
Conference Jeremy Smith Compliance Manager Erin OHern Director of League Compliance Services

Conference Jeremy Smith Compliance Manager Erin OHern Director of League Compliance Services

NCUL Compliance Conference Jeremy Smith Compliance Manager Erin OHern Director of League Compliance Services Meet the Presenter As Compliance Manager, Jeremy Smith oversees compliance services for PolicyWorks' partner Credit Union

2.25k views • 157 slides
Internal Audit and Compliance Reporting Summary March 14, 2019 1 Compliance Long Range Plan

Internal Audit and Compliance Reporting Summary March 14, 2019 1 Compliance Long Range Plan

Internal Audit and Compliance Reporting Summary March 14, 2019 1 Compliance Long Range Plan One of the core requirements from the Compliance Resource Group (CRG) was that Compliance should develop a 3-5 year strategic plan to model the

793 views • 13 slides
Merchant PCI Compliance - Update PCI Compliance Reminders - Portal Access: www.pciapply.com/NWP

Merchant PCI Compliance - Update PCI Compliance Reminders - Portal Access: www.pciapply.com/NWP

Merchant PCI Compliance - Update PCI Compliance Reminders - Portal Access: www.pciapply.com/NWP - Agents have access to the Aperia Client Management Portal Experience - Get your user credentials! - Support/Compliance Center/Help Desk/QSA

66 views • 6 slides
Building a Culture of Compliance and Ethics Core Elements 1. Compliance standards (policies

Building a Culture of Compliance and Ethics Core Elements 1. Compliance standards (policies

Building a Culture of Compliance and Ethics Core Elements 1. Compliance standards (policies procedures and standards of conduct) 2. Dedicated compliance specialist & committee 3. Conducting training and education 4. Developing open lines

154 views • 11 slides
How we achieve high level corporate partnerships with companies given the health advocacy and

How we achieve high level corporate partnerships with companies given the health advocacy and

How we achieve high level corporate partnerships with companies given the health advocacy and promotion priorities of the UICC and some of the challenges that arise in a global context. World Cancer Declaration 3 Key Questions Can

631 views • 28 slides
NRHD Partner Meeting | September 18, 2017 Agenda a (use e chatbox ox, t tell ll us w what

NRHD Partner Meeting | September 18, 2017 Agenda a (use e chatbox ox, t tell ll us w what

#powerofrural Thank you! Together we can make a bigger impact! NRHD Partner Meeting | September 18, 2017 Agenda a (use e chatbox ox, t tell ll us w what you t thin ink) Thank you for helping us grow from a day to a movement!

457 views • 16 slides
Microsoft COVID-19 Response Update for Canadian Partners April 21, 2020 Our approach to

Microsoft COVID-19 Response Update for Canadian Partners April 21, 2020 Our approach to

Microsoft COVID-19 Response Update for Canadian Partners April 21, 2020 Our approach to Suzanne Gagliese managing business VP One Commercial Partner, Microsoft continuity Canada Supporting our Suzanne Hamilton Agenda partners Customer

467 views • 25 slides
Presumptive Eligibility for Qualified Community Partners in response to the COVID-19 emergency

Presumptive Eligibility for Qualified Community Partners in response to the COVID-19 emergency

Presumptive Eligibility for Qualified Community Partners in response to the COVID-19 emergency Review and background information http://bit.ly/ohp-hpe What is Hospital Presumptive Eligibility (HPE)? A fast, easy way for Oregonians to

105 views • 8 slides
Welcome to Portfolio Analysis! IN TRODUCTION TO P ORTF OLIO AN ALYS IS IN P YTH ON Charlotte

Welcome to Portfolio Analysis! IN TRODUCTION TO P ORTF OLIO AN ALYS IS IN P YTH ON Charlotte

Welcome to Portfolio Analysis! IN TRODUCTION TO P ORTF OLIO AN ALYS IS IN P YTH ON Charlotte Werger Data Scientist Hi! My name is Charlotte INTRODUCTION TO PORTFOLIO ANALYSIS IN PYTHON What is a portfolio INTRODUCTION TO PORTFOLIO

668 views • 30 slides
Alan Hull Active Investing Book and strategy review Garry Hoover Historical Research methodology:

Alan Hull Active Investing Book and strategy review Garry Hoover Historical Research methodology:

Alan Hull Active Investing Book and strategy review Garry Hoover Historical Research methodology: (main method) Lincoln Stock doctor. Star stock Borderline Filter. Only buy if Price = undervalued Other Research methodologies

439 views • 24 slides
Capital Asset Pricing Model (CAPM) Machine Learning for Trading Financial Investing

Capital Asset Pricing Model (CAPM) Machine Learning for Trading Financial Investing

How the market impacts individual stocks Capital Asset Pricing Model (CAPM) Machine Learning for Trading Financial Investing Equation. 1960s William Sharpe , Harry Markovitz, Merton Miller. Noble Prize 1990 Capital Assets

101 views • 8 slides
Competition for Order Flow and Smart Routers Thierry Foucault Albert J. Menkveld VU Amsterdam

Competition for Order Flow and Smart Routers Thierry Foucault Albert J. Menkveld VU Amsterdam

Competition for Order Flow and Smart Routers Thierry Foucault Albert J. Menkveld VU Amsterdam HEC Paris 20 Years Tinbergen Institute Amsterdam, June 2007 1 Background and Motivation Automation changes

460 views • 26 slides

More recommend