[caiu] DNS da Caixa
Rubens Kuhl
rubensk em gmail.com
Qui Jul 6 22:31:05 BRT 2017
Servidores DNS de caixa.gov.br com dois problemas:
1) 2 servidores (Lyra e Mira) configurados com v6 mas não respondendo a v6
4) Todos os 4 servidores DNS dropando TCP 53, sendo que todo autoritativo
DNS tem que aceitar queries em TCP.
Link:
https://ednscomp.isc.org/ednscomp/0cc7625a7a
EDNS Compliance TesterChecking: 'caixa.gov.br' as at 2017-07-07T01:25:35Z
caixa.gov.br @200.201.172.21 (lyra.caixa.gov.br.): edns=ok edns1=ok edns em 512=ok
ednsopt=ok edns1opt=ok do=ok ednsflags=ok docookie=ok *edns em 512tcp=timeout*
<https://ednscomp.isc.org/ednscomp/0cc7625a7a#edns512tcp>optlist=ok
caixa.gov.br @2801:b4:1:cef4::20 (lyra.caixa.gov.br.): *edns=timeout*
<https://ednscomp.isc.org/ednscomp/0cc7625a7a#edns> *edns1=timeout*
<https://ednscomp.isc.org/ednscomp/0cc7625a7a#edns1> *edns em 512=timeout*
<https://ednscomp.isc.org/ednscomp/0cc7625a7a#edns512> *ednsopt=timeout*
<https://ednscomp.isc.org/ednscomp/0cc7625a7a#ednsopt> *edns1opt=timeout*
<https://ednscomp.isc.org/ednscomp/0cc7625a7a#edns1opt> *do=timeout*
<https://ednscomp.isc.org/ednscomp/0cc7625a7a#do>*ednsflags=timeout*
<https://ednscomp.isc.org/ednscomp/0cc7625a7a#ednsflags> *docookie=timeout*
<https://ednscomp.isc.org/ednscomp/0cc7625a7a#docookie>
*edns em 512tcp=timeout*
<https://ednscomp.isc.org/ednscomp/0cc7625a7a#edns512tcp> *optlist=timeout*
<https://ednscomp.isc.org/ednscomp/0cc7625a7a#optlist>
caixa.gov.br @200.201.171.21 (mira.caixa.gov.br.): edns=ok edns1=ok edns em 512=ok
ednsopt=ok edns1opt=ok do=ok ednsflags=ok docookie=ok *edns em 512tcp=timeout*
<https://ednscomp.isc.org/ednscomp/0cc7625a7a#edns512tcp>optlist=ok
caixa.gov.br @2801:b4:1:cef4::166 (mira.caixa.gov.br.): *edns=timeout*
<https://ednscomp.isc.org/ednscomp/0cc7625a7a#edns> *edns1=timeout*
<https://ednscomp.isc.org/ednscomp/0cc7625a7a#edns1> *edns em 512=timeout*
<https://ednscomp.isc.org/ednscomp/0cc7625a7a#edns512> *ednsopt=timeout*
<https://ednscomp.isc.org/ednscomp/0cc7625a7a#ednsopt> *edns1opt=timeout*
<https://ednscomp.isc.org/ednscomp/0cc7625a7a#edns1opt> *do=timeout*
<https://ednscomp.isc.org/ednscomp/0cc7625a7a#do>*ednsflags=timeout*
<https://ednscomp.isc.org/ednscomp/0cc7625a7a#ednsflags> *docookie=timeout*
<https://ednscomp.isc.org/ednscomp/0cc7625a7a#docookie>
*edns em 512tcp=timeout*
<https://ednscomp.isc.org/ednscomp/0cc7625a7a#edns512tcp> *optlist=timeout*
<https://ednscomp.isc.org/ednscomp/0cc7625a7a#optlist>
caixa.gov.br @200.201.161.23 (orion.caixa.gov.br.): edns=ok edns1=ok
edns em 512=ok ednsopt=ok edns1opt=ok do=ok ednsflags=ok docookie=ok
*edns em 512tcp=timeout*
<https://ednscomp.isc.org/ednscomp/0cc7625a7a#edns512tcp>optlist=ok
caixa.gov.br @200.201.161.22 (polar.caixa.gov.br.): edns=ok edns1=ok
edns em 512=ok ednsopt=ok edns1opt=ok do=ok ednsflags=ok docookie=ok
*edns em 512tcp=timeout*
<https://ednscomp.isc.org/ednscomp/0cc7625a7a#edns512tcp>optlist=ok
The Following Tests Failed
Warning: test failures may indicate that some DNS clients cannot resolve
the zone or will get a unintended answer or resolution will be slower than
necessary.
Warning: failure to address issues identified here may make future DNS
extensions that you want to use ineffective. In particular echoing back
unknown EDNS options and unknown EDNS flags will break future signaling
between DNS client and DNS server. We already have examples of this were
you cannot depend on the AD flag bit meaning anything in replies because
too many DNS servers just echo it back. Similarly the EDNS Client Subnet
(ECS) option cannot just be sent to everyone in part because of servers
just echoing it back.
- Plain EDNS (edns)
This is the style of the initial query that BIND 9.0.x sends.
dig +nocookie +norec +noad +edns=0 soa zone @server
expect: SOA
expect: NOERROR
expect: OPT record with version set to 0
expect: EDNS over IPv6
See RFC6891 <http://tools.ietf.org/html/rfc6891>
- EDNS - Unknown Version Handling (edns1)
dig +nocookie +norec +noad +edns=1 +noednsneg soa zone @server
expect: BADVERS
expect: OPT record with version set to 0
expect: not to see SOA
See RFC6891, 6.1.3. OPT Record TTL Field Use
<http://tools.ietf.org/html/rfc6891#section-6.1.3>
- EDNS - Truncated Response (edns em 512)
dig +nocookie +norec +noad +dnssec +bufsize=512 +ignore dnskey zone
@server
expect: NOERROR
expect: OPT record with version set to 0
expect: UDP DNS message size to be less than or equal to 512 bytes
See RFC6891, 7. Transport Considerations
<http://tools.ietf.org/html/rfc6891#section-7>
- EDNS - Unknown Option Handling (ednsopt)
dig +nocookie +norec +noad +ednsopt=100 soa zone @server
expect: SOA
expect: NOERROR
expect: OPT record with version set to 0
expect: that the option will not be present in response
See RFC6891, 6.1.2 Wire Format
<http://tools.ietf.org/html/rfc6891#section-6.1.2>
- EDNS - Unknown Version with Unknown Option Handling (edns1opt)
dig +nocookie +norec +noad +edns=1 +noednsneg +ednsopt=100 soa zone
@server
expect: BADVERS
expect: OPT record with version set to 0
expect: not to see SOA
expect: that the option will not be present in response
See RFC6891 <http://tools.ietf.org/html/rfc6891>
- EDNS - DNSSEC (do)
This is the style of then initial query that BIND 9.1.0 - BIND 9.10.x
sends.
dig +nocookie +norec +noad +dnssec soa zone @server
expect: SOA
expect: NOERROR
expect: OPT record with version set to 0
expect: DO flag in response if RRSIG is present in response
See RFC3225 <http://tools.ietf.org/html/rfc3225>
- EDNS - Unknown Flag Handling (ednsflags)
dig +nocookie +norec +noad +ednsflags=0x80 soa zone @server
expect: SOA
expect: NOERROR
expect: OPT record with version set to 0
expect: Z bits to be clear in response
See RFC6891, 6.1.4 Flags
<http://tools.ietf.org/html/rfc6891#section-6.1.4>
- EDNS - DNSSEC with DNS COOKIE Option (docookie)
This is the style of the initial query that BIND 9.11.0 and BIND 9.10.4
Windows onwards send.
dig +cookie +norec +noad +dnssec soa zone @server
expect: SOA
expect: NOERROR
expect: OPT record with version set to 0
expect: DO flag in response if RRSIG is present in response
See RFC3225 <http://tools.ietf.org/html/rfc3225>, RFC6891
<http://tools.ietf.org/html/rfc6891>, and RFC7873
<http://tools.ietf.org/html/rfc7873>.
- EDNS - over TCP Response (edns em 512tcp)
dig +vc +nocookie +norec +noad +edns +dnssec +bufsize=512 dnskey zone
@server
expect: NOERROR
expect: OPT record with version set to 0
See RFC5966 <http://tools.ietf.org/html/rfc5966> and See RFC6891
<http://tools.ietf.org/html/rfc6891>
- EDNS - Supported Options Probe (optlist)
dig +edns +noad +norec +nsid +subnet=0.0.0.0/0 +expire +cookie -q zone
@server
expect: NOERROR
expect: OPT record with version set to 0
See RFC6891 <http://tools.ietf.org/html/rfc6891>
Codes
- *ok* - test passed.
- *timeout* - lookup timed out.
To retrieve this report in the future:
https://ednscomp.isc.org/ednscomp/0cc7625a7a
Mais detalhes sobre a lista de discussão caiu