EDNS Compliance

Mark Andrews marka at isc.org
Fri Jan 18 20:42:14 UTC 2019 

This is the signature of a Juniper firewall which drops EDNS version != 0 and
packet with a NSID option present.  Dropping EDNS version != 0 just breaks
future interoperability and as already impacted of EDNS development as the
RFC 6891 would have included a EDNS version bump except for these stupid
firewalls dropping EDNS version != 0.  NSID is used to identify a server
in a anycast cluster and the information is not returned unless the operator
has configured the server to return it.  There is no need for a firewall to
drop queries with these properties.

Please file a bug report with Juniper.

Mark

> On 19 Jan 2019, at 4:02 am, N. Max Pierson <nmaxpierson at gmail.com> wrote:
> 
> Hi List,
> 
> I am trying to ensure our Bind servers comply with EDNS for the upcoming Flag Day (https://dnsflagday.net/). I am somewhat ignorant to EDNS but from what I have read, the information is somewhat conflicting as some documentation states EDNS is not a record that you configure in your zone file then other sites refer to some sort of OPT record you can configure. So my first question is which of the documentation is correct from what I have read? Is it DNS server functionality that supports EDNS or do you also have to configure something in the zone files?
> 
> Also, I have 4 (well 5 counting the master that isn't queryable) nameservers with multiple domains served on them. When I run one of my primary domains through the ISC EDNS tool, it comes back as 2 out of the 4 are failing EDNS queries.They are all on the same version of Bind (9.8.2rc1) and they are all slaves of the master so they should all have the same records. Can anyone please explain what I need to do to resolve the timeouts listed on the ISC testing tool?
> 
> Here is what the tool says ...
> 
> 
> venyu.com. @208.79.48.30 (ns4.venyu.com.): dns=ok edns=ok edns1=timeout edns at 512=ok ednsopt=ok edns1opt=timeout do=ok ednsflags=ok docookie=ok edns512tcp=ok optlist=timeout 
> 
> venyu.com. @69.2.33.250 (ns1.venyu.com.): dns=ok edns=ok edns1=ok edns at 512=ok ednsopt=ok edns1opt=ok do=ok ednsflags=ok docookie=ok edns512tcp=ok optlist=ok 
> venyu.com. @2604:d800:12::250 (ns1.venyu.com.): dns=ok edns=ok edns1=ok edns at 512=ok ednsopt=ok edns1opt=ok do=ok ednsflags=ok docookie=ok edns512tcp=ok optlist=ok 
> 
> venyu.com. @69.2.63.250 (ns3.venyu.com.): dns=ok edns=ok edns1=ok edns at 512=ok ednsopt=ok edns1opt=ok do=ok ednsflags=ok docookie=ok edns512tcp=ok optlist=ok 
> venyu.com. @2604:d800:13::250 (ns3.venyu.com.): dns=ok edns=ok edns1=ok edns at 512=ok ednsopt=ok edns1opt=ok do=ok ednsflags=ok docookie=ok edns512tcp=ok optlist=ok 
> 
> venyu.com. @208.79.48.26 (ns2.venyu.com.): dns=ok edns=ok edns1=timeout edns at 512=ok ednsopt=ok edns1opt=timeout do=ok ednsflags=ok docookie=ok edns512tcp=ok optlist=timeout 
> 
> 
> 
> TIA!!
> 
> Regards,
> 
> Max
> 
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org

More information about the bind-users mailing list