Hi,
When doing some investigation for the upcoming DNS Flag Day (https://dnsflagday.net: February 1st 2019) I got some bad news from one of the service providers: they use Juniper SRX firewalls, and claim that they can't properly support EDNS because of a bug in their SRX firewalls. This seems outrageous to me. Is this just because they haven't upgraded their JunOS for years, they're running ancient DNS server software, or is there really a problem?
I didn't get any more information from them, just "it's because of Juniper". An example test can be seen here: https://ednscomp.isc.org/ednscomp/704c5b6649:
> Checking: 'computel.nl' as at 2019-01-25T11:05:00Z
>
> computel.nl. @83.137.17.10 (ns2.computel.nl.): dns=ok edns=ok edns1=timeout edns@512=ok ednsopt=ok edns1opt=timeout do=ok ednsflags=ok docookie=ok edns512tcp=ok optlist=timeout
> computel.nl. @2001:4038:0:17::10 (ns2.computel.nl.): dns=ok edns=ok edns1=timeout edns@512=ok ednsopt=ok edns1opt=timeout do=ok ednsflags=ok docookie=ok edns512tcp=ok optlist=timeout
>
> computel.nl. @83.137.20.153 (ns3.computel-standby.eu.): dns=ok edns=ok edns1=ok edns@512=ok ednsopt=ok edns1opt=ok do=ok ednsflags=ok docookie=ok edns512tcp=ok optlist=ok,nsid (ns3.computel-standby.eu)
> computel.nl. @2001:4038:0:21::153 (ns3.computel-standby.eu.): dns=ok edns=ok edns1=ok edns@512=ok ednsopt=ok edns1opt=ok do=ok ednsflags=ok docookie=ok edns512tcp=ok optlist=ok,nsid (ns3.computel-standby.eu)
>
> computel.nl. @83.137.20.10 (ns1.computel.nl.): dns=ok edns=ok edns1=timeout edns@512=ok ednsopt=ok edns1opt=timeout do=ok ednsflags=ok docookie=ok edns512tcp=ok optlist=timeout
> computel.nl. @2001:4038:0:20::10 (ns1.computel.nl.): dns=ok edns=ok edns1=timeout edns@512=ok ednsopt=ok edns1opt=timeout do=ok ednsflags=ok docookie=ok edns512tcp=ok optlist=timeout
I am wondering what's going on here, and whether there is really a bug in JunOS on SRX or whether it's just "easiest to blame the firewall"...
Cheers!
Sander
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
When doing some investigation for the upcoming DNS Flag Day (https://dnsflagday.net: February 1st 2019) I got some bad news from one of the service providers: they use Juniper SRX firewalls, and claim that they can't properly support EDNS because of a bug in their SRX firewalls. This seems outrageous to me. Is this just because they haven't upgraded their JunOS for years, they're running ancient DNS server software, or is there really a problem?
I didn't get any more information from them, just "it's because of Juniper". An example test can be seen here: https://ednscomp.isc.org/ednscomp/704c5b6649:
> Checking: 'computel.nl' as at 2019-01-25T11:05:00Z
>
> computel.nl. @83.137.17.10 (ns2.computel.nl.): dns=ok edns=ok edns1=timeout edns@512=ok ednsopt=ok edns1opt=timeout do=ok ednsflags=ok docookie=ok edns512tcp=ok optlist=timeout
> computel.nl. @2001:4038:0:17::10 (ns2.computel.nl.): dns=ok edns=ok edns1=timeout edns@512=ok ednsopt=ok edns1opt=timeout do=ok ednsflags=ok docookie=ok edns512tcp=ok optlist=timeout
>
> computel.nl. @83.137.20.153 (ns3.computel-standby.eu.): dns=ok edns=ok edns1=ok edns@512=ok ednsopt=ok edns1opt=ok do=ok ednsflags=ok docookie=ok edns512tcp=ok optlist=ok,nsid (ns3.computel-standby.eu)
> computel.nl. @2001:4038:0:21::153 (ns3.computel-standby.eu.): dns=ok edns=ok edns1=ok edns@512=ok ednsopt=ok edns1opt=ok do=ok ednsflags=ok docookie=ok edns512tcp=ok optlist=ok,nsid (ns3.computel-standby.eu)
>
> computel.nl. @83.137.20.10 (ns1.computel.nl.): dns=ok edns=ok edns1=timeout edns@512=ok ednsopt=ok edns1opt=timeout do=ok ednsflags=ok docookie=ok edns512tcp=ok optlist=timeout
> computel.nl. @2001:4038:0:20::10 (ns1.computel.nl.): dns=ok edns=ok edns1=timeout edns@512=ok ednsopt=ok edns1opt=timeout do=ok ednsflags=ok docookie=ok edns512tcp=ok optlist=timeout
I am wondering what's going on here, and whether there is really a bug in JunOS on SRX or whether it's just "easiest to blame the firewall"...
Cheers!
Sander
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp