Maintained by: NLnet Labs

edns client subnet fallback or blacklisting?

Dan McCombs
Tue Jan 2 21:14:48 CET 2018


Hello,

I've come across an authoritative that responds with BADVERS when edns
client subnet is sent in a query to it, for example it can only be
queried with dig if edns is turned off and no subnet is set:

fails:

dig www.tsp.gov @ns2.tsp.gov

; <<>> DiG 9.11.2 <<>> www.tsp.gov @ns2.tsp.gov
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: BADVERS, id: 44363
;; flags: qr rd ad; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; Query time: 18 msec
;; SERVER: 74.113.204.34#53(74.113.204.34)
;; WHEN: Tue Jan 02 15:09

fails:

dig +noedns www.tsp.gov @ns2.tsp.gov +subnet=162.88.100.192

; <<>> DiG 9.11.2 <<>> +noedns www.tsp.gov @ns2.tsp.gov
+subnet=162.88.100.192
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: BADVERS, id: 60645
;; flags: qr rd ad; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; Query time: 19 msec
;; SERVER: 74.113.204.34#53(74.113.204.34)
;; WHEN: Tue Jan 02 15:10:21 EST 2018
;; MSG SIZE  rcvd: 23

works:

dig +noedns www.tsp.gov @ns2.tsp.gov

; <<>> DiG 9.11.2 <<>> +noedns www.tsp.gov @ns2.tsp.gov
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50317
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;www.tsp.gov.                   IN      A

;; ANSWER SECTION:
www.tsp.gov.            900     IN      A       74.113.204.129

;; AUTHORITY SECTION:
tsp.gov.                900     IN      NS      ns1.tsp.gov.
tsp.gov.                900     IN      NS      ns2.tsp.gov.

;; ADDITIONAL SECTION:
ns1.tsp.gov.            900     IN      A       74.113.206.34
ns2.tsp.gov.            900     IN      A       74.113.204.34

;; Query time: 19 msec
;; SERVER: 74.113.204.34#53(74.113.204.34)
;; WHEN: Tue Jan 02 15:10:38 EST 2018
;; MSG SIZE  rcvd: 113


When I query this host through an Unbound resolver with edns client
subnet enabled for 0.0.0.0, it returns a SERVFAIL. Removing
send-client-subnet from the Unbound's config allows it to resolve.

Is there any config I'm missing to allow Unbound to fallback to querying
without edns client subnet if a query with it fails? Or is there a way
to blacklist just those authoritatives without having to whitelist all
other subnets?

Thanks,

-Dan