[prev in list] [next in list] [prev in thread] [next in thread]
List: bind-users
Subject: Re: DNS Flag Day - options for EDNS behavior control before then ?
From: Mark Andrews <marka () isc ! org>
Date: 2018-12-19 20:03:55
Message-ID: 40B30A4A-E392-434E-978F-DF634A3362A6 () isc ! org
[Download RAW message or body]
Correct, there are no knobs in 9.13/9.14 for automatic fallback.
Apart from a few very old Microsoft Windows DNS servers that don't respond \
consistently to EDNS queries (they respond with FORMERR to the first query then don't \
respond for a while to subsequent EDNS queries) there aren't many servers that don't \
answer EDNS queries any more. That said there is still a single TLD server that \
doesn't respond to EDNS queries at all.
server <prefix> { edns no; };
More likely you will strike a server that doesn't respond to queries with DNS COOKIE \
options present and you will want to turn off sending that option. This can be \
tested for with "dig +nocookie".
server <prefix> { send-cookie no; };
Most of the problems are with stupid firewall defaults. The firewall vendors want to \
be seen to be doing "something" with DNS and to hell with planned incremental \
deployment and interoperability. STD 13 said what nameservers should do with unknown \
flags in the DNS header (ignore) and other changes (return FORMERR). EDNS says to \
ignore unknown EDNS flags and options and to return BADVERS with the currently \
supported EDNS version for unsupported EDNS versions in requests. These behaviours \
allow clients to be updated without having to update servers. Firewall that drop \
queries aren't doing anyone a service. All they do is break interoperability.
Mark
> On 20 Dec 2018, at 6:39 am, Brandon Applegate <brandon@burn.net> wrote:
>
> Hello,
>
> I did some searching on the ML archives and didn't see what I'm trying to ask.
>
> Is there anything (i.e. a config knob) in any current version of BIND that allows \
> one to control this ?
> My understanding is that on (around ?) the DNS Flag Day of 2/1/19 - BIND won't \
> retry (with EDNS disabled) non-answered EDNS queries - rather it will consider them \
> failures ?
> I see that as of now there is this knob:
>
> --
> server a.b.c.d {
> edns no;
> };
> —
>
> But I'm talking about the behavior described in the DNS Flag day materials. Is \
> that simply going to be changed in code sometime around/on 2/1/19 ?
> --
> Brandon Applegate - CCIE 10273
> PGP Key fingerprint:
> 0641 D285 A36F 533A 73E5 2541 4920 533C C616 703A
> "For thousands of years men dreamed of pacts with demons.
> Only now are such things possible."
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from \
> this list
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from \
this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic