ECN, DNS and Firewalls

There are major operators that still have STUPID firewall settings
in front of DNS servers that drop SYN packets with ECE and CWR set
17 years after ECN was specified.

Do you really want to add a second to EVERY DNS lookup that needs
to use TCP? Modern OS actually attempt to use ECN by default. DNS
is time critical enough without introducing unnecessary delays.

If you have signed zones then TCP requests are almost certainly being
made to your servers.

EVERYONE TEST YOUR SERVERS FROM OUTSIDE YOUR NETWORK AND FIX THE BROKEN
FIREWALLS THAT ARE FOUND.

Time to name-n-shame?

No yet. Let people test and fix their firewalls first.

A test machine should be sending [SEW] and getting back
[S.E] or [S.] in the TCP flags using tcpdump depending
upon whether the DNS server’s TCP stack supports ECN or not.

e.g.

11:35:50.335713 IP6 2001:470:a001:3:f1f2:b12d:4b18:d934.50670 > 2001:7fe::53.53: Flags [SEW], seq 3764146938, win 65535, options [mss 1220,nop,wscale 5,nop,nop,TS val 522561237 ecr 0,sackOK,eol], length 0
11:35:50.745472 IP6 2001:7fe::53.53 > 2001:470:a001:3:f1f2:b12d:4b18:d934.50670: Flags [S.E], seq 1542147586, ack 3764146939, win 14280, options [mss 1440,sackOK,TS val 1392826170 ecr 522561237,nop,wscale 7], length 0

or

11:40:35.360655 IP6 2001:470:a001:3:f1f2:b12d:4b18:d934.50697 > 2001:502:8cc::30.53: Flags [SEW], seq 81498720, win 65535, options [mss 1220,nop,wscale 5,nop,nop,TS val 522845405 ecr 0,sackOK,eol], length 0
11:40:35.589420 IP6 2001:502:8cc::30.53 > 2001:470:a001:3:f1f2:b12d:4b18:d934.50697: Flags [S.], seq 987294478, ack 81498721, win 1220, options [mss 1220], length 0

Mark