EDNS RRs

W.C.A. Wijngaards wouter at nlnetlabs.nl
Fri Nov 20 10:34:30 UTC 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

On 11/20/2015 10:11 AM, W.C.A. Wijngaards via Unbound-users wrote:
> Hi Ian,
> 
> On 11/19/2015 09:47 PM, Ian Cohee via Unbound-users wrote:
>> Hello all,
> 
>> One of our engineers discovered some interesting behavior while 
>> testing bad EDNS RRs in Unbound. He discovered that Unbound 
>> properly checks and identifies a truncated OPT RR as a FORMERR,
>> but then returns the truncated OPT RR, resulting in a malformed 
>> response to a malformed request. I have attached a PCAP file
>> that should contain the malformed requests/responses.
> 
> There is a fix now, unbound will remove the EDNS section from that
> reply.
> 
> This may cause the sender to think the server does not support
> EDNS and then drop EDNS from its queries - and that is exactly
> right because its EDNS contents cannot be parsed.

And fixed to reply with a valid EDNS record without options in it in
the FORMERR message.  This is for RFC compliance, as Yuri points out.

Best regards, Wouter

> 
> Best regards, Wouter
> 
> 
>> Has anyone observed this behavior, and if so, had issues from
>> it?
> 
>> I'd also like to hear some opinions about this behavior.
> 
>> Thanks,
> 
> 
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJWTvc2AAoJEJ9vHC1+BF+Nil0QAJXwrVExbHiyrKtgtKg26Mmn
jrbug55i4tl0UQn7Mph9WvMalzsjMvV5lLFh8bJOsqjJKN0rD1/MIfJdBU3M/Aa8
ZGkUAdvlA4/2PO2fDz01gVA2xvF9CV57psOBs8sYixoVhG7Fi+57QgzSANssFtLr
YV+GpNzxrDhL+x605zN/gDeca7kbKbxWzepSqLdVqBtqUUWrob8cMp5Z6FKr2y5y
9d1/s67d8E7TEFbzjASFnr5uQIbz1BjzFARGXmcPeGlsWKVcog/jYESolNyONP98
BfM26H7z2i7aK0zTuJ5cQFBEvRYRv0FXzM/oIl7LMNlpA4Dlzedf2tHQ71FfM6C8
o1rO4/wxgNG14n9e6iI+JXyXKCnk9w4Q4rZ79yKADTG7mYP/GO+6N37p2GtSZUYI
0mBW0ViBQW1M4qgnFndUQgBdrrEudoX1Cv+SXtDdczj/HmjToy0BOxqymCzA/zp3
j93vhIzRrqcdTWvtyMM3zJ3DiB24xvecxfNnV60up1PSBcmNsHtay1S2uPgVWp9G
1OfCX35QBuEDTHI6ERt1cqxisiC7CZxLOexYB07NczTRIuCV5ac1sibAivpm0xsx
fij/oZNRTTpNg9ZTaEDCBgmMFixu5kXtUbadpboyua1TvUDZUZJ10W43ick8yT3g
sCFaCFhiDwCqF5oIb7XG
=cY+N
-----END PGP SIGNATURE-----



More information about the Unbound-users mailing list