DNS flag day

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

DNS flag day

Ben Croswell
Has ISC released minimum viable BIND version for flag day?

I looked around and couldn't find anything. 

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: DNS flag day

Vicky Risk
Administrator

On Jan 18, 2019, at 9:09 AM, Ben Croswell <[hidden email]> wrote:

Has ISC released minimum viable BIND version for flag day?

Most versions of BIND authoritative servers, going back years, are EDNS compatible. Certainly ALL currently supported versions are compatible. I see you are running 9.8, which has been EOL since September, 2014.  I think that is probably fine, as far as EDNS, however.

The change in BIND related to DNS Flag Day is removing workarounds from resolvers, that will retry without EDNS or otherwise try to proceed even when EDNS fails. This change came in the BIND 9.13 development version, and will be in BIND 9.14, which is not yet released.

The problem you are seeing is most likely firewall-related.

Vicky


I looked around and couldn't find anything. 
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users



_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Vicky Risk
Product Manager,
Internet Systems Consortium
Reply | Threaded
Open this post in threaded view
|

Re: DNS flag day

Ben Croswell
I shouldn't have posted so closely to responding to the other user.

I am not running 9.8. I was replying to them about firewalls in regards to their 9.8 issues.

Was just hoping for a statement of 9.x or greater supports the needed badvers signaling etc.

On Fri, Jan 18, 2019, 12:15 PM Victoria Risk <[hidden email] wrote:

On Jan 18, 2019, at 9:09 AM, Ben Croswell <[hidden email]> wrote:

Has ISC released minimum viable BIND version for flag day?

Most versions of BIND authoritative servers, going back years, are EDNS compatible. Certainly ALL currently supported versions are compatible. I see you are running 9.8, which has been EOL since September, 2014.  I think that is probably fine, as far as EDNS, however.

The change in BIND related to DNS Flag Day is removing workarounds from resolvers, that will retry without EDNS or otherwise try to proceed even when EDNS fails. This change came in the BIND 9.13 development version, and will be in BIND 9.14, which is not yet released.

The problem you are seeing is most likely firewall-related.

Vicky


I looked around and couldn't find anything. 
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users



_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: DNS flag day

Vicky Risk
Administrator


On Jan 18, 2019, at 9:18 AM, Ben Croswell <[hidden email]> wrote:

I shouldn't have posted so closely to responding to the other user.

Oh, my mistake.  How is this for a definitve statement?

BIND 9 was designed to be EDNS compliant from very beginning. All currently-supported branches of BIND 9 are EDNS-compliant. That includes 9.11, 9.12 and 9.13.  We strongly advise running a version supported by ISC or the vendor as there could be bugs related to EDNS in earlier versions.

I realize a lot of ppl on bind-users are running eol versions anyway. 
We did poke around a bit here, and found we fixed some minor EDNS issue with change #3949 in 2014. That was also about the time we added dig +ednsopt. I don’t know what the issue was or if it is significant, but I am sure that any version issued since 2014 would be compliant vs the ednscomp tool.

 

I am not running 9.8. I was replying to them about firewalls in regards to their 9.8 issues.

Was just hoping for a statement of 9.x or greater supports the needed badvers signaling etc.

On Fri, Jan 18, 2019, 12:15 PM Victoria Risk <[hidden email] wrote:

On Jan 18, 2019, at 9:09 AM, Ben Croswell <[hidden email]> wrote:

Has ISC released minimum viable BIND version for flag day?

Most versions of BIND authoritative servers, going back years, are EDNS compatible. Certainly ALL currently supported versions are compatible. I see you are running 9.8, which has been EOL since September, 2014.  I think that is probably fine, as far as EDNS, however.

The change in BIND related to DNS Flag Day is removing workarounds from resolvers, that will retry without EDNS or otherwise try to proceed even when EDNS fails. This change came in the BIND 9.13 development version, and will be in BIND 9.14, which is not yet released.

The problem you are seeing is most likely firewall-related.

Vicky


I looked around and couldn't find anything. 
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

Victoria Risk
Product Manager
Internet Systems Consortium






_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Vicky Risk
Product Manager,
Internet Systems Consortium
Reply | Threaded
Open this post in threaded view
|

RE: DNS flag day

Lightner, Jeff
In reply to this post by Ben Croswell

On checking I find that any of our domains that use Network Solutions’ Worldnic.com nameservers are reporting failures when checked. 

For example this result:  https://ednscomp.isc.org/ednscomp/e30c6cf0ea

Other people online have posted about Network Solutions as they also saw failures. 

On calling Network Solutions today they told me they are compliant despite what was reported by https://dnsflagday.net/   

 

This issue is with domains registered at Network Solutions and using their Advanced DNS (i.e. their Worldnic name servers).   Other domains we have registered with them but pointing to other name servers (i.e. our own BIND servers) displayed as compliant.  

When I sent them the links they saw what I saw but still claimed they are compliant.   They refused to send me something in writing stating that so I suggested they reach out to ISC regarding the checker’s results if they believe they are compliant, but they said they don’t see the need.   I’ve asked them to escalate and they say they have but I suspect I’ll not hear back from them.

Is there a list of known edns compliant Registrar name severs for the larger Registrars?   

Is it possible the failures seen are false?   If so, are there alternate edns compliance checkers that might show different responses than dnsflagday.net? 

 

 

 

 

From: bind-users <[hidden email]> On Behalf Of Ben Croswell
Sent: Friday, January 18, 2019 12:19 PM
To: [hidden email]
Subject: Re: DNS flag day

 

I shouldn't have posted so closely to responding to the other user.

 

I am not running 9.8. I was replying to them about firewalls in regards to their 9.8 issues.

 

Was just hoping for a statement of 9.x or greater supports the needed badvers signaling etc.

 

On Fri, Jan 18, 2019, 12:15 PM Victoria Risk <[hidden email] wrote:

 

On Jan 18, 2019, at 9:09 AM, Ben Croswell <[hidden email]> wrote:

 

Has ISC released minimum viable BIND version for flag day?

 

Most versions of BIND authoritative servers, going back years, are EDNS compatible. Certainly ALL currently supported versions are compatible. I see you are running 9.8, which has been EOL since September, 2014.  I think that is probably fine, as far as EDNS, however.

 

The change in BIND related to DNS Flag Day is removing workarounds from resolvers, that will retry without EDNS or otherwise try to proceed even when EDNS fails. This change came in the BIND 9.13 development version, and will be in BIND 9.14, which is not yet released.

 

The problem you are seeing is most likely firewall-related.

 

Vicky

 

 

I looked around and couldn't find anything. 

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

 

 


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: DNS flag day

Ben Croswell
I would say we had one provider go as far as saying this whole flag day thing is a hoax. Not sure what option there is other than voting with your wallet and moving to a different provider.

May even be worth looking at 2 providers. I see DNS provider redundancy as being a huge priority after the Dyn DDoS event.

On Fri, Jan 18, 2019, 2:50 PM Lightner, Jeffrey <[hidden email] wrote:

On checking I find that any of our domains that use Network Solutions’ Worldnic.com nameservers are reporting failures when checked. 

For example this result:  https://ednscomp.isc.org/ednscomp/e30c6cf0ea

Other people online have posted about Network Solutions as they also saw failures. 

On calling Network Solutions today they told me they are compliant despite what was reported by https://dnsflagday.net/   

 

This issue is with domains registered at Network Solutions and using their Advanced DNS (i.e. their Worldnic name servers).   Other domains we have registered with them but pointing to other name servers (i.e. our own BIND servers) displayed as compliant.  

When I sent them the links they saw what I saw but still claimed they are compliant.   They refused to send me something in writing stating that so I suggested they reach out to ISC regarding the checker’s results if they believe they are compliant, but they said they don’t see the need.   I’ve asked them to escalate and they say they have but I suspect I’ll not hear back from them.

Is there a list of known edns compliant Registrar name severs for the larger Registrars?   

Is it possible the failures seen are false?   If so, are there alternate edns compliance checkers that might show different responses than dnsflagday.net

 

 

 

 

From: bind-users <[hidden email]> On Behalf Of Ben Croswell
Sent: Friday, January 18, 2019 12:19 PM
To: [hidden email]
Subject: Re: DNS flag day

 

I shouldn't have posted so closely to responding to the other user.

 

I am not running 9.8. I was replying to them about firewalls in regards to their 9.8 issues.

 

Was just hoping for a statement of 9.x or greater supports the needed badvers signaling etc.

 

On Fri, Jan 18, 2019, 12:15 PM Victoria Risk <[hidden email] wrote:

 

On Jan 18, 2019, at 9:09 AM, Ben Croswell <[hidden email]> wrote:

 

Has ISC released minimum viable BIND version for flag day?

 

Most versions of BIND authoritative servers, going back years, are EDNS compatible. Certainly ALL currently supported versions are compatible. I see you are running 9.8, which has been EOL since September, 2014.  I think that is probably fine, as far as EDNS, however.

 

The change in BIND related to DNS Flag Day is removing workarounds from resolvers, that will retry without EDNS or otherwise try to proceed even when EDNS fails. This change came in the BIND 9.13 development version, and will be in BIND 9.14, which is not yet released.

 

The problem you are seeing is most likely firewall-related.

 

Vicky

 

 

I looked around and couldn't find anything. 

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

 

 

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: DNS flag day

Warren Kumari


On Fri, Jan 18, 2019 at 2:58 PM Ben Croswell <[hidden email]> wrote:
I would say we had one provider go as far as saying this whole flag day thing is a hoax.

That's a weird stance / position. "The whole flag day thing is [stupid|overblown|annoying|confusing|on a Friday]" are all positions I can understand - not agree with (modulo the Friday one), but at least understand. 'tis a hoax is just confusing...
Flag Day been discussed at length, and presented at multiple DNS events - it seems that a DNS provider who hasn't seen any of the presentations and recognized at least one person pushing this isn't well connected to the community, and should probably be avoided...

W
P.S: Unless they think it is simply a *very* subtle, long running, widespread hoax... and now I'm wondering if I'm the patsy here :-P


 
Not sure what option there is other than voting with your wallet and moving to a different provider.

May even be worth looking at 2 providers. I see DNS provider redundancy as being a huge priority after the Dyn DDoS event.

On Fri, Jan 18, 2019, 2:50 PM Lightner, Jeffrey <[hidden email] wrote:

On checking I find that any of our domains that use Network Solutions’ Worldnic.com nameservers are reporting failures when checked. 

For example this result:  https://ednscomp.isc.org/ednscomp/e30c6cf0ea

Other people online have posted about Network Solutions as they also saw failures. 

On calling Network Solutions today they told me they are compliant despite what was reported by https://dnsflagday.net/   

 

This issue is with domains registered at Network Solutions and using their Advanced DNS (i.e. their Worldnic name servers).   Other domains we have registered with them but pointing to other name servers (i.e. our own BIND servers) displayed as compliant.  

When I sent them the links they saw what I saw but still claimed they are compliant.   They refused to send me something in writing stating that so I suggested they reach out to ISC regarding the checker’s results if they believe they are compliant, but they said they don’t see the need.   I’ve asked them to escalate and they say they have but I suspect I’ll not hear back from them.

Is there a list of known edns compliant Registrar name severs for the larger Registrars?   

Is it possible the failures seen are false?   If so, are there alternate edns compliance checkers that might show different responses than dnsflagday.net

 

 

 

 

From: bind-users <[hidden email]> On Behalf Of Ben Croswell
Sent: Friday, January 18, 2019 12:19 PM
To: [hidden email]
Subject: Re: DNS flag day

 

I shouldn't have posted so closely to responding to the other user.

 

I am not running 9.8. I was replying to them about firewalls in regards to their 9.8 issues.

 

Was just hoping for a statement of 9.x or greater supports the needed badvers signaling etc.

 

On Fri, Jan 18, 2019, 12:15 PM Victoria Risk <[hidden email] wrote:

 

On Jan 18, 2019, at 9:09 AM, Ben Croswell <[hidden email]> wrote:

 

Has ISC released minimum viable BIND version for flag day?

 

Most versions of BIND authoritative servers, going back years, are EDNS compatible. Certainly ALL currently supported versions are compatible. I see you are running 9.8, which has been EOL since September, 2014.  I think that is probably fine, as far as EDNS, however.

 

The change in BIND related to DNS Flag Day is removing workarounds from resolvers, that will retry without EDNS or otherwise try to proceed even when EDNS fails. This change came in the BIND 9.13 development version, and will be in BIND 9.14, which is not yet released.

 

The problem you are seeing is most likely firewall-related.

 

Vicky

 

 

I looked around and couldn't find anything. 

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

 

 

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users


--
I don't think the execution is relevant when it was obviously a bad idea in the first place.
This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants.
   ---maf

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: DNS flag day

Ben Croswell
I would imagine "its a hoax" is code for we dont want to bother remediating.

On Fri, Jan 18, 2019, 3:20 PM Warren Kumari <[hidden email] wrote:


On Fri, Jan 18, 2019 at 2:58 PM Ben Croswell <[hidden email]> wrote:
I would say we had one provider go as far as saying this whole flag day thing is a hoax.

That's a weird stance / position. "The whole flag day thing is [stupid|overblown|annoying|confusing|on a Friday]" are all positions I can understand - not agree with (modulo the Friday one), but at least understand. 'tis a hoax is just confusing...
Flag Day been discussed at length, and presented at multiple DNS events - it seems that a DNS provider who hasn't seen any of the presentations and recognized at least one person pushing this isn't well connected to the community, and should probably be avoided...

W
P.S: Unless they think it is simply a *very* subtle, long running, widespread hoax... and now I'm wondering if I'm the patsy here :-P


 
Not sure what option there is other than voting with your wallet and moving to a different provider.

May even be worth looking at 2 providers. I see DNS provider redundancy as being a huge priority after the Dyn DDoS event.

On Fri, Jan 18, 2019, 2:50 PM Lightner, Jeffrey <[hidden email] wrote:

On checking I find that any of our domains that use Network Solutions’ Worldnic.com nameservers are reporting failures when checked. 

For example this result:  https://ednscomp.isc.org/ednscomp/e30c6cf0ea

Other people online have posted about Network Solutions as they also saw failures. 

On calling Network Solutions today they told me they are compliant despite what was reported by https://dnsflagday.net/   

 

This issue is with domains registered at Network Solutions and using their Advanced DNS (i.e. their Worldnic name servers).   Other domains we have registered with them but pointing to other name servers (i.e. our own BIND servers) displayed as compliant.  

When I sent them the links they saw what I saw but still claimed they are compliant.   They refused to send me something in writing stating that so I suggested they reach out to ISC regarding the checker’s results if they believe they are compliant, but they said they don’t see the need.   I’ve asked them to escalate and they say they have but I suspect I’ll not hear back from them.

Is there a list of known edns compliant Registrar name severs for the larger Registrars?   

Is it possible the failures seen are false?   If so, are there alternate edns compliance checkers that might show different responses than dnsflagday.net

 

 

 

 

From: bind-users <[hidden email]> On Behalf Of Ben Croswell
Sent: Friday, January 18, 2019 12:19 PM
To: [hidden email]
Subject: Re: DNS flag day

 

I shouldn't have posted so closely to responding to the other user.

 

I am not running 9.8. I was replying to them about firewalls in regards to their 9.8 issues.

 

Was just hoping for a statement of 9.x or greater supports the needed badvers signaling etc.

 

On Fri, Jan 18, 2019, 12:15 PM Victoria Risk <[hidden email] wrote:

 

On Jan 18, 2019, at 9:09 AM, Ben Croswell <[hidden email]> wrote:

 

Has ISC released minimum viable BIND version for flag day?

 

Most versions of BIND authoritative servers, going back years, are EDNS compatible. Certainly ALL currently supported versions are compatible. I see you are running 9.8, which has been EOL since September, 2014.  I think that is probably fine, as far as EDNS, however.

 

The change in BIND related to DNS Flag Day is removing workarounds from resolvers, that will retry without EDNS or otherwise try to proceed even when EDNS fails. This change came in the BIND 9.13 development version, and will be in BIND 9.14, which is not yet released.

 

The problem you are seeing is most likely firewall-related.

 

Vicky

 

 

I looked around and couldn't find anything. 

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

 

 

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users


--
I don't think the execution is relevant when it was obviously a bad idea in the first place.
This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants.
   ---maf

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: DNS flag day

Warren Kumari


On Fri, Jan 18, 2019 at 3:28 PM Ben Croswell <[hidden email]> wrote:
I would imagine "its a hoax" is code for we dont want to bother remediating.


yah, I get their "Don't want to do it" position, but "It's a hoax" seems like a poor selection from the possible excuses -- when flag day occurs it will be clear that this wasn't a hoax, being tricked simply makes you look stupid / uninformed.

Much better excuses would be along the lines of "We are planning on remediating" (and hoping the issue goes away), "We are philosophically opposed to this", "We believe that we are compliant and the testing is busticated", "This doesn't apply to us", "Nope, you misunderstood, this only need to be mitigated by servers which process EDNS replies, and our servers don't do that." or "That's a question for the architecture team, I'll get them to call you back the week after next. Pardon? I didn't take your phone number? Oh well", or even "sorry, I'm going through a tunnel and my reception is poor... <sounds of rustling chip packet>EDNS, yes .. comp.. mitiga..<click>" :-P

W
 
On Fri, Jan 18, 2019, 3:20 PM Warren Kumari <[hidden email] wrote:


On Fri, Jan 18, 2019 at 2:58 PM Ben Croswell <[hidden email]> wrote:
I would say we had one provider go as far as saying this whole flag day thing is a hoax.

That's a weird stance / position. "The whole flag day thing is [stupid|overblown|annoying|confusing|on a Friday]" are all positions I can understand - not agree with (modulo the Friday one), but at least understand. 'tis a hoax is just confusing...
Flag Day been discussed at length, and presented at multiple DNS events - it seems that a DNS provider who hasn't seen any of the presentations and recognized at least one person pushing this isn't well connected to the community, and should probably be avoided...

W
P.S: Unless they think it is simply a *very* subtle, long running, widespread hoax... and now I'm wondering if I'm the patsy here :-P


 
Not sure what option there is other than voting with your wallet and moving to a different provider.

May even be worth looking at 2 providers. I see DNS provider redundancy as being a huge priority after the Dyn DDoS event.

On Fri, Jan 18, 2019, 2:50 PM Lightner, Jeffrey <[hidden email] wrote:

On checking I find that any of our domains that use Network Solutions’ Worldnic.com nameservers are reporting failures when checked. 

For example this result:  https://ednscomp.isc.org/ednscomp/e30c6cf0ea

Other people online have posted about Network Solutions as they also saw failures. 

On calling Network Solutions today they told me they are compliant despite what was reported by https://dnsflagday.net/   

 

This issue is with domains registered at Network Solutions and using their Advanced DNS (i.e. their Worldnic name servers).   Other domains we have registered with them but pointing to other name servers (i.e. our own BIND servers) displayed as compliant.  

When I sent them the links they saw what I saw but still claimed they are compliant.   They refused to send me something in writing stating that so I suggested they reach out to ISC regarding the checker’s results if they believe they are compliant, but they said they don’t see the need.   I’ve asked them to escalate and they say they have but I suspect I’ll not hear back from them.

Is there a list of known edns compliant Registrar name severs for the larger Registrars?   

Is it possible the failures seen are false?   If so, are there alternate edns compliance checkers that might show different responses than dnsflagday.net

 

 

 

 

From: bind-users <[hidden email]> On Behalf Of Ben Croswell
Sent: Friday, January 18, 2019 12:19 PM
To: [hidden email]
Subject: Re: DNS flag day

 

I shouldn't have posted so closely to responding to the other user.

 

I am not running 9.8. I was replying to them about firewalls in regards to their 9.8 issues.

 

Was just hoping for a statement of 9.x or greater supports the needed badvers signaling etc.

 

On Fri, Jan 18, 2019, 12:15 PM Victoria Risk <[hidden email] wrote:

 

On Jan 18, 2019, at 9:09 AM, Ben Croswell <[hidden email]> wrote:

 

Has ISC released minimum viable BIND version for flag day?

 

Most versions of BIND authoritative servers, going back years, are EDNS compatible. Certainly ALL currently supported versions are compatible. I see you are running 9.8, which has been EOL since September, 2014.  I think that is probably fine, as far as EDNS, however.

 

The change in BIND related to DNS Flag Day is removing workarounds from resolvers, that will retry without EDNS or otherwise try to proceed even when EDNS fails. This change came in the BIND 9.13 development version, and will be in BIND 9.14, which is not yet released.

 

The problem you are seeing is most likely firewall-related.

 

Vicky

 

 

I looked around and couldn't find anything. 

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

 

 

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users


--
I don't think the execution is relevant when it was obviously a bad idea in the first place.
This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants.
   ---maf


--
I don't think the execution is relevant when it was obviously a bad idea in the first place.
This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants.
   ---maf

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: DNS flag day

Mark Andrews
In reply to this post by Ben Croswell


> On 19 Jan 2019, at 6:58 am, Ben Croswell <[hidden email]> wrote:
>
> I would say we had one provider go as far as saying this whole flag day thing is a hoax. Not sure what option there is other than voting with your wallet and moving to a different provider.

You can go read the source code and see where the work arounds have been removed.
There are a number of sites that will not be resolvable without manual configuration
after flag day.  As BIND also uses DNS COOKIE those sites that block DNS COOKIE option
will be in the list.  Also those running old versions of Windows DNS will be problematic
as they don’t consistently respond to EDNS queries with FORMERR.  They respond *once* then
stop responding for a short while.  If there is packet loss the server becomes non responsive.

> May even be worth looking at 2 providers. I see DNS provider redundancy as being a huge priority after the Dyn DDoS event.
>
> On Fri, Jan 18, 2019, 2:50 PM Lightner, Jeffrey <[hidden email] wrote:
> On checking I find that any of our domains that use Network Solutions’ Worldnic.com nameservers are reporting failures when checked.  
>
> For example this result:  https://ednscomp.isc.org/ednscomp/e30c6cf0ea
>
> Other people online have posted about Network Solutions as they also saw failures.

Well the answers to the test queries are *wrong*.  The servers DO NOT implement EDNS
version negotiation.  This isn’t a DNS flag day issue but a future interoperability issue.

[beetle:~/git/bind9] marka% dig brewerrepair.com. @207.204.40.143 +edns=1 +noednsne

; <<>> DiG 9.13.1+hotspot+add-prefetch+marka <<>> brewerrepair.com. @207.204.40.143 +edns=1 +noednsne
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37712
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 2800
;; QUESTION SECTION:
;brewerrepair.com. IN A

;; ANSWER SECTION:
brewerrepair.com. 7200 IN A 199.192.145.62

;; Query time: 836 msec
;; SERVER: 207.204.40.143#53(207.204.40.143)
;; WHEN: Sat Jan 19 07:48:28 AEDT 2019
;; MSG SIZE  rcvd: 61

[beetle:~/git/bind9] marka%

You should see a answer like this one from the root servers which *do* implement EDNS fully.

[beetle:~/git/bind9] marka% dig brewerrepair.com. @a.root-servers.net +edns=1 +noednsne

; <<>> DiG 9.13.1+hotspot+add-prefetch+marka <<>> brewerrepair.com. @a.root-servers.net +edns=1 +noednsne
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: BADVERS, id: 31554
;; flags: qr rd ad; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; Query time: 184 msec
;; SERVER: 198.41.0.4#53(198.41.0.4)
;; WHEN: Sat Jan 19 07:49:20 AEDT 2019
;; MSG SIZE  rcvd: 23

[beetle:~/git/bind9] marka%


> On calling Network Solutions today they told me they are compliant despite what was reported by https://dnsflagday.net/   

Well they are mistaken.

> This issue is with domains registered at Network Solutions and using their Advanced DNS (i.e. their Worldnic name servers).   Other domains we have registered with them but pointing to other name servers (i.e. our own BIND servers) displayed as compliant.  
>
> When I sent them the links they saw what I saw but still claimed they are compliant.   They refused to send me something in writing stating that so I suggested they reach out to ISC regarding the checker’s results if they believe they are compliant, but they said they don’t see the need.   I’ve asked them to escalate and they say they have but I suspect I’ll not hear back from them.
>
> Is there a list of known edns compliant Registrar name severs for the larger Registrars?    
>
> Is it possible the failures seen are false?   If so, are there alternate edns compliance checkers that might show different responses than dnsflagday.net?  
>
>  
>
>  
>
>  
>
>  
>
> From: bind-users <[hidden email]> On Behalf Of Ben Croswell
> Sent: Friday, January 18, 2019 12:19 PM
> To: [hidden email]
> Subject: Re: DNS flag day
>
>  
>
> I shouldn't have posted so closely to responding to the other user.
>
>  
>
> I am not running 9.8. I was replying to them about firewalls in regards to their 9.8 issues.
>
>  
>
> Was just hoping for a statement of 9.x or greater supports the needed badvers signaling etc.
>
>  
>
> On Fri, Jan 18, 2019, 12:15 PM Victoria Risk <[hidden email] wrote:
>
>  
>
> On Jan 18, 2019, at 9:09 AM, Ben Croswell <[hidden email]> wrote:
>
>  
>
> Has ISC released minimum viable BIND version for flag day?
>
>  
>
> Most versions of BIND authoritative servers, going back years, are EDNS compatible. Certainly ALL currently supported versions are compatible. I see you are running 9.8, which has been EOL since September, 2014.  I think that is probably fine, as far as EDNS, however.
>
>  
>
> The change in BIND related to DNS Flag Day is removing workarounds from resolvers, that will retry without EDNS or otherwise try to proceed even when EDNS fails. This change came in the BIND 9.13 development version, and will be in BIND 9.14, which is not yet released.
>
>  
>
> The problem you are seeing is most likely firewall-related.
>
>  
>
> Vicky
>
>  
>
>  
>
> I looked around and couldn't find anything.
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> [hidden email]
> https://lists.isc.org/mailman/listinfo/bind-users
>
>  
>
>  
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> [hidden email]
> https://lists.isc.org/mailman/listinfo/bind-users
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> [hidden email]
> https://lists.isc.org/mailman/listinfo/bind-users

--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: [hidden email]

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users