DNS flag day

Fri Jan 18 20:58:02 UTC 2019

> On 19 Jan 2019, at 6:58 am, Ben Croswell <ben.croswell at gmail.com> wrote:
> 
> I would say we had one provider go as far as saying this whole flag day thing is a hoax. Not sure what option there is other than voting with your wallet and moving to a different provider.

You can go read the source code and see where the work arounds have been removed.
There are a number of sites that will not be resolvable without manual configuration
after flag day.  As BIND also uses DNS COOKIE those sites that block DNS COOKIE option
will be in the list.  Also those running old versions of Windows DNS will be problematic
as they don’t consistently respond to EDNS queries with FORMERR.  They respond *once* then
stop responding for a short while.  If there is packet loss the server becomes non responsive.

> May even be worth looking at 2 providers. I see DNS provider redundancy as being a huge priority after the Dyn DDoS event.
> 
> On Fri, Jan 18, 2019, 2:50 PM Lightner, Jeffrey <JLightner at dsservices.com wrote:
> On checking I find that any of our domains that use Network Solutions’ Worldnic.com nameservers are reporting failures when checked.  
> 
> For example this result:  https://ednscomp.isc.org/ednscomp/e30c6cf0ea
> 
> Other people online have posted about Network Solutions as they also saw failures. 

Well the answers to the test queries are *wrong*.  The servers DO NOT implement EDNS
version negotiation.  This isn’t a DNS flag day issue but a future interoperability issue.

[beetle:~/git/bind9] marka% dig brewerrepair.com. @207.204.40.143 +edns=1 +noednsne

; <<>> DiG 9.13.1+hotspot+add-prefetch+marka <<>> brewerrepair.com. @207.204.40.143 +edns=1 +noednsne
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37712
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 2800
;; QUESTION SECTION:
;brewerrepair.com.		IN	A

;; ANSWER SECTION:
brewerrepair.com.	7200	IN	A	199.192.145.62

;; Query time: 836 msec
;; SERVER: 207.204.40.143#53(207.204.40.143)
;; WHEN: Sat Jan 19 07:48:28 AEDT 2019
;; MSG SIZE  rcvd: 61

[beetle:~/git/bind9] marka% 

You should see a answer like this one from the root servers which *do* implement EDNS fully.

[beetle:~/git/bind9] marka% dig brewerrepair.com. @a.root-servers.net +edns=1 +noednsne

; <<>> DiG 9.13.1+hotspot+add-prefetch+marka <<>> brewerrepair.com. @a.root-servers.net +edns=1 +noednsne
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: BADVERS, id: 31554
;; flags: qr rd ad; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; Query time: 184 msec
;; SERVER: 198.41.0.4#53(198.41.0.4)
;; WHEN: Sat Jan 19 07:49:20 AEDT 2019
;; MSG SIZE  rcvd: 23

[beetle:~/git/bind9] marka% 

> On calling Network Solutions today they told me they are compliant despite what was reported by https://dnsflagday.net/   

Well they are mistaken.

> This issue is with domains registered at Network Solutions and using their Advanced DNS (i.e. their Worldnic name servers).   Other domains we have registered with them but pointing to other name servers (i.e. our own BIND servers) displayed as compliant.   
> 
> When I sent them the links they saw what I saw but still claimed they are compliant.   They refused to send me something in writing stating that so I suggested they reach out to ISC regarding the checker’s results if they believe they are compliant, but they said they don’t see the need.   I’ve asked them to escalate and they say they have but I suspect I’ll not hear back from them.
> 
> Is there a list of known edns compliant Registrar name severs for the larger Registrars?    
> 
> Is it possible the failures seen are false?   If so, are there alternate edns compliance checkers that might show different responses than dnsflagday.net?  
> 
>  
> 
>  
> 
>  
> 
>  
> 
> From: bind-users <bind-users-bounces at lists.isc.org> On Behalf Of Ben Croswell
> Sent: Friday, January 18, 2019 12:19 PM
> To: bind-users at lists.isc.org
> Subject: Re: DNS flag day
> 
>  
> 
> I shouldn't have posted so closely to responding to the other user.
> 
>  
> 
> I am not running 9.8. I was replying to them about firewalls in regards to their 9.8 issues.
> 
>  
> 
> Was just hoping for a statement of 9.x or greater supports the needed badvers signaling etc.
> 
>  
> 
> On Fri, Jan 18, 2019, 12:15 PM Victoria Risk <vicky at isc.org wrote:
> 
>  
> 
> On Jan 18, 2019, at 9:09 AM, Ben Croswell <ben.croswell at gmail.com> wrote:
> 
>  
> 
> Has ISC released minimum viable BIND version for flag day?
> 
>  
> 
> Most versions of BIND authoritative servers, going back years, are EDNS compatible. Certainly ALL currently supported versions are compatible. I see you are running 9.8, which has been EOL since September, 2014.  I think that is probably fine, as far as EDNS, however.
> 
>  
> 
> The change in BIND related to DNS Flag Day is removing workarounds from resolvers, that will retry without EDNS or otherwise try to proceed even when EDNS fails. This change came in the BIND 9.13 development version, and will be in BIND 9.14, which is not yet released.
> 
>  
> 
> The problem you are seeing is most likely firewall-related.
> 
>  
> 
> Vicky
> 
>  
> 
>  
> 
> I looked around and couldn't find anything. 
> 
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> 
>  
> 
>  
> 
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org