It looks like DNS flag day has cleaned out a lot of broken DNS implementation and firewalls[1] but there are still holdouts running non-compliant code / firewalls[2] (AWS are in the process for fixing their servers). The reports show the servers that are sitting behind out of date firewalls from Juniper and Checkpoint as the old code has a distinctive drop patterns. Both vendors no longer drop well formed EDNS packets with by default. i.e. they pass all specified EDNS options as well as unknown EDNS versions, EDNS flags, and EDNS options. If you are not sure if your DNS servers and firewalls are compliant you can test them at https://ednscomp.isc.org.
https://ednscomp.isc.org/compliance/ts/au-graphs.html https://ednscomp.isc.org/compliance/au-report.html -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ AusNOG mailing list AusNOG@lists.ausnog.net http://lists.ausnog.net/mailman/listinfo/ausnog
