Re: DNS Services for a registrar

[Mark Andrews <marka () isc org>]

Route 53 have IPv6 now handled out of the .co.uk zones though they
still don't do EDNS.  Azure also mishandles EDNS.

Route 53 returns plain DNS responses when presented with a EDNS(1)
query.  This breaks validating EDNS(1) clients getting answers from
a signed zone.

Azure echoes back unknown EDNS options and returns NOERROR NODATA
to EDNS(1) queries.  This breaks EDNS(1) clients regardless of
whether the data is coming from a signed zone or not.  It also
potentially breaks any client using a EDNS options regardless of
the version of EDNS they have in the query.  It is server misbehaviour
like this that requires clients to whitelist ECS servers.  If a DNS
COOKIE client is picky it will also break them.

EDNS(0) specified how to handle EDNS(1) queries when you only support
EDNS(0) back in 1999.  It isn't hard to get it right.  It also isn't
hard to test.

Mark

harveynorman.com.au. @64.4.48.5 (ns2-05.azure-dns.net.): dns=ok edns=ok edns1=status edns@512=ok ednsopt=echoed 
edns1opt=status do=ok ednsflags=ok optlist=ok,subnet signed=ok ednstcp=ok
harveynorman.com.au. @13.107.24.5 (ns3-05.azure-dns.org.): dns=ok edns=ok edns1=status edns@512=ok ednsopt=echoed 
edns1opt=status do=ok ednsflags=ok optlist=ok,subnet signed=ok ednstcp=ok
harveynorman.com.au. @40.90.4.5 (ns1-05.azure-dns.com.): dns=ok edns=ok edns1=status edns@512=ok ednsopt=echoed 
edns1opt=status do=ok ednsflags=ok optlist=ok,subnet signed=ok ednstcp=ok
harveynorman.com.au. @13.107.160.5 (ns4-05.azure-dns.info.): dns=ok edns=ok edns1=status edns@512=ok ednsopt=ok 
edns1opt=status do=ok ednsflags=ok optlist=ok,subnet signed=ok ednstcp=ok

energeticsinstitute.com.au. @205.251.195.234 (ns-1002.awsdns-61.net.): dns=ok edns=ok edns1=status,noopt,soa 
edns@512=ok ednsopt=ok edns1opt=status,noopt,soa do=ok ednsflags=ok optlist=ok,nsid,subnet signed=ok ednstcp=ok
energeticsinstitute.com.au. @205.251.197.70 (ns-1350.awsdns-40.org.): dns=ok edns=ok edns1=status,noopt,soa edns@512=ok 
ednsopt=ok edns1opt=status,noopt,soa do=ok ednsflags=ok optlist=ok,nsid,subnet signed=ok ednstcp=ok
energeticsinstitute.com.au. @205.251.192.97 (ns-97.awsdns-12.com.): dns=ok edns=ok edns1=status,noopt,soa edns@512=ok 
ednsopt=ok edns1opt=status,noopt,soa do=ok ednsflags=ok optlist=ok,nsid,subnet signed=ok ednstcp=ok
energeticsinstitute.com.au. @205.251.198.160 (ns-1696.awsdns-20.co.uk.): dns=ok edns=ok edns1=status,noopt,soa 
edns@512=ok ednsopt=ok edns1opt=status,noopt,soa do=ok ednsflags=ok optlist=ok,nsid,subnet signed=ok ednstcp=ok
energeticsinstitute.com.au. @2600:9000:5306:a000::1 (ns-1696.awsdns-20.co.uk.): dns=ok edns=ok edns1=status,noopt,soa 
edns@512=ok ednsopt=ok edns1opt=status,noopt,soa do=ok ednsflags=ok optlist=ok,nsid,subnet signed=ok ednstcp=ok

Mark

In message <BLUPR05MB595CEB3D1F875F1D20D7889B4A00 () BLUPR05MB595 namprd05 prod ou
tlook.com>, Ryan Finnesey writes:
> Thanks everyone for their response.  We are going to use the Azure Zone
> Service.
>
> Cheers
> Ryan
>
>
> From: Matthieu Michaud mailto:matthieu () nxdomain fr
> Sent: Friday, August 12, 2016 1:34 PM
> To: Ryan Finnesey <ryan () finnesey com>
> Cc: nanog () nanog org
> Subject: Re: DNS Services for a registrar
>
> Hi,
>
> I have been very happy with route53 while lack of IPv6 support was not an
> issue for the use case.
>
> Did you evaluate CloudFlare in PaaS solution ?
> Their free plan includes DNS.
>
> Best regards,
>
>
> On Fri, Aug 12, 2016 at 7:56 AM, Ryan Finnesey
> <ryan () finnesey com<mailto:ryan () finnesey com>> wrote:
> We need to provide DNS services for domains we offer as a registrar.  We
> were discussing internally the different options for the deployment.
> Does anyone see a down side to using IaaS on AWS and Azure?
>
> We were also kicking around the idea of a PaaS offering and using Azure
> DNS or AWS Route 53.
>
> Cheers
> Ryan
>
>
>
> --
> Matthieu MICHAUD

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka () isc org