DNSSEC validation failures for www.hrsa.gov

Mark Andrews marka at isc.org
Sun Jun 26 01:45:17 UTC 2016 

In message <alpine.DEB.2.20.1606242104290.17096 at headset.its.uiowa.edu>, Jay Ford writes:
> On Sat, 25 Jun 2016, Mark Andrews wrote:
> > The servers for webfarm.dr.hrsa.gov are not EDNS and DNSSEC compliant.
> > They are returning FORMERR to queries with EDNS options.  Unknown
> > EDNS options are supposed to be ignored (RFC 6891).
> >
> > You can workaround this with a server clause to disable sending the
> > cookie option with a server clause.
> >
> > server <address> { request-sit no; };	// 9.10.x
> > server <address> { send-cookie no; };	// 9.11.x
> 
> That did it, at least for now.
> 
> > Now one could argue that FORMERR is legal under RFC 2671 (the initial
> > EDNS specification) as no options were defined and to use a option
> > you need to bump the EDNS version but the servers don't do EDNS
> > version negotiation either as they return FORMERR to a EDNS version 1
> > query rather than BADVERS.  They also incorrectly copy back unknown
> > EDNS flags.
> 
> > Whether this is the cause of your issue I don't know but it won't be
> > helping.
> 
> The HRSA folks claim that their "site is fine".  In hopes of disabusing them 
> of that notion I'll have our folks who have to try to use the HRSA site pass 
> along the trouble report.

Just because it appears to work for some clients does not mean that
it works for all clients.  This is yet another IT department putting
their fingers in their ears and saying "nah nah nah".  If they were
compentent they would look at the RFC's listed in the original
report and check that their servers work correctly and fix the
issues found.

EDNS was designed to allow clients and servers to upgrade independently
but that requires that both clients and servers follow the protocol.
That they handle new/unknown stuff correctly which these servers
do not.

They can check their servers at https://ednscomp.isc.org/

Mark

> Thanks for the diagnosis & work-around.  Excellent as always & crazy fast, 
> too!
> 
> ________________________________________________________________________
> Jay Ford, Network Engineering Group, Information Technology Services
> University of Iowa, Iowa City, IA 52242
> email: jay-ford at uiowa.edu, phone: 319-335-5555
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list