EDNS RRs

W.C.A. Wijngaards wouter at nlnetlabs.nl
Fri Nov 20 09:11:32 UTC 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Ian,

On 11/19/2015 09:47 PM, Ian Cohee via Unbound-users wrote:
> Hello all,
> 
> One of our engineers discovered some interesting behavior while
> testing bad EDNS RRs in Unbound. He discovered that Unbound
> properly checks and identifies a truncated OPT RR as a FORMERR, but
> then returns the truncated OPT RR, resulting in a malformed
> response to a malformed request. I have attached a PCAP file that
> should contain the malformed requests/responses.

There is a fix now, unbound will remove the EDNS section from that reply.

This may cause the sender to think the server does not support EDNS
and then drop EDNS from its queries - and that is exactly right
because its EDNS contents cannot be parsed.

Best regards, Wouter

> 
> Has anyone observed this behavior, and if so, had issues from it?
> 
> I'd also like to hear some opinions about this behavior.
> 
> Thanks,
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJWTuPEAAoJEJ9vHC1+BF+NILoP/3p5vOMjgVKcB4BDN+jEO7AK
1Xz8cEEzRQVrc/XyetuedKUAvqSzzupdrYTfmakUdFPkMHaTX3vWA1okAOKvyn3J
ECs/nXc+yxeOt3+9zdHZiw8ZxrfOYpmgQ7/3OUH+kVIZh9kz+ionryu1lC8Th7kn
3COhfoGKW7An6AMMU0/ORWXn9/IydAjAqdaLnKgaLXHlSrxgsZ42KZWqctud9nmV
SUyVkLsgpaFn2vps2xcf+MV2vYe+1XW4PxIQvS2mto4vO4X1xq+RhxLFjPzmciyp
4JneId06iKKSSvctq10OjN/FJOeIcK+GT8M/fuUafTLjlclTcPSOdA6ES6hwtuwE
/0mM9ErTN02yAMHAfL74ACejQPZTTO757QNN98FRa8NDEFmOjf4FP5uJlhG/SDb0
u4Np/gF5KFab42K3dRl5jhM5ZX+P2egYNMeMDBJ/XxV0As0Nioji47sTjvTli3Q6
CsMbsllTLZLUgKOyPySvbAK/El25QjIX1iCPIhpbQzirsH67dI5qsVEFfC3Mpa1O
1ufrEingaHBhjp1nF/g5om8jBdNTVafSIgpfNJCbKEEZXsAwQQ50YkU1wxybPkBV
iTBA6X4Je3g3c+FEgxlPYoKRirptiTgTvn8xRQ7y87gLMwmxcvYN60gbM5cbwHA/
kuKFJiRjoeh7zY2pldWm
=dDVK
-----END PGP SIGNATURE-----



More information about the Unbound-users mailing list