DNS Flag Day - options for EDNS behavior control before then ?

Mark Andrews marka at isc.org
Wed Dec 19 20:03:55 UTC 2018 

Correct, there are no knobs in 9.13/9.14 for automatic fallback. 

Apart from a few very old Microsoft Windows DNS servers that don’t respond consistently to EDNS queries (they respond with FORMERR to the first query then don’t respond for a while to subsequent EDNS queries) there aren’t many servers that don’t answer EDNS queries any more.  That said there is still a single TLD server that doesn’t respond to EDNS queries at all.

	server <prefix> { edns no; };

More likely you will strike a server that doesn’t respond to queries with DNS COOKIE options present and you will want to turn off sending that option.  This can be tested for with “dig +nocookie”.

	server <prefix> { send-cookie no; };

Most of the problems are with stupid firewall defaults.  The firewall vendors want to be seen to be doing “something” with DNS and to hell with planned incremental deployment and interoperability.  STD 13 said what nameservers should do with unknown flags in the DNS header (ignore) and other changes (return FORMERR).  EDNS says to ignore unknown EDNS flags and options and to return BADVERS with the currently supported EDNS version for unsupported EDNS versions in requests.  These behaviours allow clients to be updated without having to update servers.  Firewall that drop queries aren’t doing anyone a service.  All they do is break interoperability.

Mark



> On 20 Dec 2018, at 6:39 am, Brandon Applegate <brandon at burn.net> wrote:
> 
> Hello,
> 
> I did some searching on the ML archives and didn’t see what I’m trying to ask.
> 
> Is there anything (i.e. a config knob) in any current version of BIND that allows one to control this ?
> 
> My understanding is that on (around ?) the DNS Flag Day of 2/1/19 - BIND won’t retry (with EDNS disabled) non-answered EDNS queries - rather it will consider them failures ?
> 
> I see that as of now there is this knob:
> 
> --
> server a.b.c.d {
>    edns no;
> };
>> 
> But I’m talking about the behavior described in the DNS Flag day materials.  Is that simply going to be changed in code sometime around/on 2/1/19 ?
> 
> --
> Brandon Applegate - CCIE 10273
> PGP Key fingerprint:
> 0641 D285 A36F 533A 73E5  2541 4920 533C C616 703A
> "For thousands of years men dreamed of pacts with demons.
> Only now are such things possible."
> 
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org

More information about the bind-users mailing list