4

Using the domain test at https://dnsflagday.net reports that our domains (hosted at several different DNS companies) all fail with this (note the edns512tcp=reset):

xxxxxxxxx.com. @98.124.243.3 (dns5.name-services.com.): dns=ok edns=ok edns1=ok edns@512=ok ednsopt=ok edns1opt=ok do=ok ednsflags=ok docookie=ok edns512tcp=reset optlist=ok,nsid (pdns12.dns.sjl.prod.tucows.net)

The Following Tests Failed

    EDNS - over TCP Response (edns@512tcp)

    dig +vc +nocookie +norec +noad +edns +dnssec +bufsize=512 dnskey zone @server
    expect: NOERROR
    expect: OPT record with version set to 0
    See RFC5966 and See RFC6891

Codes

    ok - test passed.
    nsid - NSID supported [RFC5001].
    reset - TCP connection reset.

But there are no actions explained by the site, and web searches are not making this any clearer.

It seems to be saying it doesn't expect reset? dig shows the domains all reply with the following, which is required: 

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1452

What is the DNS flag day tester trying to tell me is wrong? And is there anything I can do to fix it, or is it a problem with our authoritative DNS host?

simpleuser
  • 274
  • 1
  • 4
  • 14

1 Answers1

3

You don't specify your domain name, but using the command specified in the output that you quoted I get the same "connection reset" behavior that they complain about:

$ dig +vc +nocookie +norec +noad +edns +dnssec +bufsize=512 dnskey example.com @98.124.243.3
;; communications error to 98.124.243.3#53: connection reset
$

As noted in your ednscomp test output, what is expected in this particular test is:

expect: NOERROR
expect: OPT record with version set to 0

Ie, it expects a response with NOERROR status and an EDNS OPT pseudorecord with version 0 for this query.

The reported problem is specifically that your nameserver for whatever reason resets the connection instead of handling the query.


It is worth noting that the ednscomp test suite includes many tests, what you find detailed in the output are the tests that failed. Ie, the dig command above is in itself by no means a comprehensive test, it just corresponds to a particular test scenario where your nameserver fails.

Håkan Lindqvist
  • 35,011
  • 5
  • 69
  • 94
  • Interesting. I don't get the reset on my server using the exact command you used above. I get an answer ending with and OPT PSEUDOSECTION containing '; EDNS: version: 0, flags: do; udp: 1680' – simpleuser Jan 25 '19 at 20:43
  • Hmm. But I do get a timeout from 3 other servers, and now I do from mine when retrying a few minutes later. So I guess this is just a flaky server used by ednscomp? – simpleuser Jan 25 '19 at 20:50
  • @simpleuser It seems like `98.124.243.3` (maybe other servers from same provider as well) does not appear to work reliably over TCP, maybe even unrelated to EDNS options. – Håkan Lindqvist Jan 25 '19 at 20:56
  • to clarify, when I wrote "I do get a timeout from 3 other servers" I meant I get a timeout when I run the dig command *from* multiple other servers, but using the same DNS @server in your command. thanks for your help! – simpleuser Jan 25 '19 at 21:00