-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
EDNS0 header should not be copied to response as it arrived #6188
Comments
Copying unknown options violates this section of RFC 6891.
The intent is to allow EDNS options to be deployed by either the server or the client without prior agreement. It also means that an unknown EDNS option does not cause FORMERR or NOTIMP or REFUSED or BADVERS or no response. |
I notice this while experimenting with the https://gitlab.isc.org/isc-projects/DNS-Compliance-Testing tool. I'll also explicitly point out, that it's the I've been trying to understand some of the comments in #2357 for context of this change, and I'm struggling to understand the motivation of copying back the query's OPTs (minus bufsize and DO). I see it helped with testing (here it's checking the response, but it should be checking the request). I do see there was some confusion whether CoreDNS is a "middlebox". And I think this might of fueled this interpretation. Seems like the consensus is that CoreDNS isn't a middlebox and OPT should be hop-by-hop as @pemensik is advocating for here. It's possible the "understand" terminology was misinterpreted: in fc667b9:
"Understand" seems a bit like a strong word here. It looks like we just hard coded in specific EDNS0 options that we want to copy from request to response, but we potentially do nothing useful with them, nor provide back valuable data using them (minus nsid plugin). Please let me know if I am missing any key information about this design decision. I am WIP on #6415. |
The EDNS bufsize MUST NOT be copied from the request. It tells the client the server's receive buffer size. Set it to an appropriate value for your server. The DO bit is copied if your support RFC 4034 and RFC 4035 as that is where the copying is specified. |
What happened:
What you expected to happen:
How to reproduce it (as minimally and precisely as possible):
dig +ednsopt=NSID:6578616d706c65 @localhost -p 3053
- send query with EDNS0 extensiondig +ednsopt=NSID @localhost
should not result in empty but present NSID.Anything else we need to know?:
dig +ednsopt=NSID @8.8.8.8
Environment:
The text was updated successfully, but these errors were encountered: