[caiu] DNS da Caixa

Rubens Kuhl rubensk em gmail.com
Qui Jul 6 22:31:05 BRT 2017 

Servidores DNS de caixa.gov.br com dois problemas:
1) 2 servidores (Lyra e Mira) configurados com v6 mas não respondendo a v6
4) Todos os 4 servidores DNS dropando TCP 53, sendo que todo autoritativo
DNS tem que aceitar queries em TCP.

Link:
https://ednscomp.isc.org/ednscomp/0cc7625a7a

EDNS Compliance TesterChecking: 'caixa.gov.br' as at 2017-07-07T01:25:35Z

caixa.gov.br @200.201.172.21 (lyra.caixa.gov.br.): edns=ok edns1=ok edns em 512=ok
ednsopt=ok edns1opt=ok do=ok ednsflags=ok docookie=ok *edns em 512tcp=timeout*
<https://ednscomp.isc.org/ednscomp/0cc7625a7a#edns512tcp>optlist=ok
caixa.gov.br @2801:b4:1:cef4::20 (lyra.caixa.gov.br.): *edns=timeout*
<https://ednscomp.isc.org/ednscomp/0cc7625a7a#edns> *edns1=timeout*
<https://ednscomp.isc.org/ednscomp/0cc7625a7a#edns1> *edns em 512=timeout*
<https://ednscomp.isc.org/ednscomp/0cc7625a7a#edns512> *ednsopt=timeout*
<https://ednscomp.isc.org/ednscomp/0cc7625a7a#ednsopt> *edns1opt=timeout*
<https://ednscomp.isc.org/ednscomp/0cc7625a7a#edns1opt> *do=timeout*
<https://ednscomp.isc.org/ednscomp/0cc7625a7a#do>*ednsflags=timeout*
<https://ednscomp.isc.org/ednscomp/0cc7625a7a#ednsflags> *docookie=timeout*
<https://ednscomp.isc.org/ednscomp/0cc7625a7a#docookie>
*edns em 512tcp=timeout*
<https://ednscomp.isc.org/ednscomp/0cc7625a7a#edns512tcp> *optlist=timeout*
<https://ednscomp.isc.org/ednscomp/0cc7625a7a#optlist>

caixa.gov.br @200.201.171.21 (mira.caixa.gov.br.): edns=ok edns1=ok edns em 512=ok
ednsopt=ok edns1opt=ok do=ok ednsflags=ok docookie=ok *edns em 512tcp=timeout*
<https://ednscomp.isc.org/ednscomp/0cc7625a7a#edns512tcp>optlist=ok
caixa.gov.br @2801:b4:1:cef4::166 (mira.caixa.gov.br.): *edns=timeout*
<https://ednscomp.isc.org/ednscomp/0cc7625a7a#edns> *edns1=timeout*
<https://ednscomp.isc.org/ednscomp/0cc7625a7a#edns1> *edns em 512=timeout*
<https://ednscomp.isc.org/ednscomp/0cc7625a7a#edns512> *ednsopt=timeout*
<https://ednscomp.isc.org/ednscomp/0cc7625a7a#ednsopt> *edns1opt=timeout*
<https://ednscomp.isc.org/ednscomp/0cc7625a7a#edns1opt> *do=timeout*
<https://ednscomp.isc.org/ednscomp/0cc7625a7a#do>*ednsflags=timeout*
<https://ednscomp.isc.org/ednscomp/0cc7625a7a#ednsflags> *docookie=timeout*
<https://ednscomp.isc.org/ednscomp/0cc7625a7a#docookie>
*edns em 512tcp=timeout*
<https://ednscomp.isc.org/ednscomp/0cc7625a7a#edns512tcp> *optlist=timeout*
<https://ednscomp.isc.org/ednscomp/0cc7625a7a#optlist>

caixa.gov.br @200.201.161.23 (orion.caixa.gov.br.): edns=ok edns1=ok
edns em 512=ok ednsopt=ok edns1opt=ok do=ok ednsflags=ok docookie=ok
*edns em 512tcp=timeout*
<https://ednscomp.isc.org/ednscomp/0cc7625a7a#edns512tcp>optlist=ok

caixa.gov.br @200.201.161.22 (polar.caixa.gov.br.): edns=ok edns1=ok
edns em 512=ok ednsopt=ok edns1opt=ok do=ok ednsflags=ok docookie=ok
*edns em 512tcp=timeout*
<https://ednscomp.isc.org/ednscomp/0cc7625a7a#edns512tcp>optlist=ok
The Following Tests Failed

Warning: test failures may indicate that some DNS clients cannot resolve
the zone or will get a unintended answer or resolution will be slower than
necessary.

Warning: failure to address issues identified here may make future DNS
extensions that you want to use ineffective. In particular echoing back
unknown EDNS options and unknown EDNS flags will break future signaling
between DNS client and DNS server. We already have examples of this were
you cannot depend on the AD flag bit meaning anything in replies because
too many DNS servers just echo it back. Similarly the EDNS Client Subnet
(ECS) option cannot just be sent to everyone in part because of servers
just echoing it back.


   - Plain EDNS (edns)

   This is the style of the initial query that BIND 9.0.x sends.

   dig +nocookie +norec +noad +edns=0 soa zone @server
   expect: SOA
   expect: NOERROR
   expect: OPT record with version set to 0
   expect: EDNS over IPv6
   See RFC6891 <http://tools.ietf.org/html/rfc6891>
   - EDNS - Unknown Version Handling (edns1)

   dig +nocookie +norec +noad +edns=1 +noednsneg soa zone @server
   expect: BADVERS
   expect: OPT record with version set to 0
   expect: not to see SOA
   See RFC6891, 6.1.3. OPT Record TTL Field Use
   <http://tools.ietf.org/html/rfc6891#section-6.1.3>
   - EDNS - Truncated Response (edns em 512)

   dig +nocookie +norec +noad +dnssec +bufsize=512 +ignore dnskey zone
   @server
   expect: NOERROR
   expect: OPT record with version set to 0
   expect: UDP DNS message size to be less than or equal to 512 bytes
   See RFC6891, 7. Transport Considerations
   <http://tools.ietf.org/html/rfc6891#section-7>
   - EDNS - Unknown Option Handling (ednsopt)

   dig +nocookie +norec +noad +ednsopt=100 soa zone @server
   expect: SOA
   expect: NOERROR
   expect: OPT record with version set to 0
   expect: that the option will not be present in response
   See RFC6891, 6.1.2 Wire Format
   <http://tools.ietf.org/html/rfc6891#section-6.1.2>
   - EDNS - Unknown Version with Unknown Option Handling (edns1opt)

   dig +nocookie +norec +noad +edns=1 +noednsneg +ednsopt=100 soa zone
   @server
   expect: BADVERS
   expect: OPT record with version set to 0
   expect: not to see SOA
   expect: that the option will not be present in response
   See RFC6891 <http://tools.ietf.org/html/rfc6891>
   - EDNS - DNSSEC (do)

   This is the style of then initial query that BIND 9.1.0 - BIND 9.10.x
   sends.

   dig +nocookie +norec +noad +dnssec soa zone @server
   expect: SOA
   expect: NOERROR
   expect: OPT record with version set to 0
   expect: DO flag in response if RRSIG is present in response
   See RFC3225 <http://tools.ietf.org/html/rfc3225>
   - EDNS - Unknown Flag Handling (ednsflags)

   dig +nocookie +norec +noad +ednsflags=0x80 soa zone @server
   expect: SOA
   expect: NOERROR
   expect: OPT record with version set to 0
   expect: Z bits to be clear in response
   See RFC6891, 6.1.4 Flags
   <http://tools.ietf.org/html/rfc6891#section-6.1.4>
   - EDNS - DNSSEC with DNS COOKIE Option (docookie)

   This is the style of the initial query that BIND 9.11.0 and BIND 9.10.4
   Windows onwards send.

   dig +cookie +norec +noad +dnssec soa zone @server
   expect: SOA
   expect: NOERROR
   expect: OPT record with version set to 0
   expect: DO flag in response if RRSIG is present in response
   See RFC3225 <http://tools.ietf.org/html/rfc3225>, RFC6891
   <http://tools.ietf.org/html/rfc6891>, and RFC7873
   <http://tools.ietf.org/html/rfc7873>.
   - EDNS - over TCP Response (edns em 512tcp)

   dig +vc +nocookie +norec +noad +edns +dnssec +bufsize=512 dnskey zone
   @server
   expect: NOERROR
   expect: OPT record with version set to 0
   See RFC5966 <http://tools.ietf.org/html/rfc5966> and See RFC6891
   <http://tools.ietf.org/html/rfc6891>
   - EDNS - Supported Options Probe (optlist)

   dig +edns +noad +norec +nsid +subnet=0.0.0.0/0 +expire +cookie -q zone
   @server
   expect: NOERROR
   expect: OPT record with version set to 0
   See RFC6891 <http://tools.ietf.org/html/rfc6891>

Codes


   - *ok* - test passed.
   - *timeout* - lookup timed out.

To retrieve this report in the future:
https://ednscomp.isc.org/ednscomp/0cc7625a7a

Mais detalhes sobre a lista de discussão caiu