Re: DNS Flag Day - options for EDNS behavior control before then ?

2018-12-19 Thread Mark Andrews 
Correct, there are no knobs in 9.13/9.14 for automatic fallback. 

Apart from a few very old Microsoft Windows DNS servers that don’t respond 
consistently to EDNS queries (they respond with FORMERR to the first query then 
don’t respond for a while to subsequent EDNS queries) there aren’t many servers 
that don’t answer EDNS queries any more.  That said there is still a single TLD 
server that doesn’t respond to EDNS queries at all.

server  { edns no; };

More likely you will strike a server that doesn’t respond to queries with DNS 
COOKIE options present and you will want to turn off sending that option.  This 
can be tested for with “dig +nocookie”.

server  { send-cookie no; };

Most of the problems are with stupid firewall defaults.  The firewall vendors 
want to be seen to be doing “something” with DNS and to hell with planned 
incremental deployment and interoperability.  STD 13 said what nameservers 
should do with unknown flags in the DNS header (ignore) and other changes 
(return FORMERR).  EDNS says to ignore unknown EDNS flags and options and to 
return BADVERS with the currently supported EDNS version for unsupported EDNS 
versions in requests.  These behaviours allow clients to be updated without 
having to update servers.  Firewall that drop queries aren’t doing anyone a 
service.  All they do is break interoperability.

Mark



> On 20 Dec 2018, at 6:39 am, Brandon Applegate  wrote:
> 
> Hello,
> 
> I did some searching on the ML archives and didn’t see what I’m trying to ask.
> 
> Is there anything (i.e. a config knob) in any current version of BIND that 
> allows one to control this ?
> 
> My understanding is that on (around ?) the DNS Flag Day of 2/1/19 - BIND 
> won’t retry (with EDNS disabled) non-answered EDNS queries - rather it will 
> consider them failures ?
> 
> I see that as of now there is this knob:
> 
> --
> server a.b.c.d {
>edns no;
> };
> —
> 
> But I’m talking about the behavior described in the DNS Flag day materials.  
> Is that simply going to be changed in code sometime around/on 2/1/19 ?
> 
> --
> Brandon Applegate - CCIE 10273
> PGP Key fingerprint:
> 0641 D285 A36F 533A 73E5  2541 4920 533C C616 703A
> "For thousands of years men dreamed of pacts with demons.
> Only now are such things possible."
> 
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742  INTERNET: ma...@isc.org

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

DNS Flag Day - options for EDNS behavior control before then ?

2018-12-19 Thread Brandon Applegate 
Hello,

I did some searching on the ML archives and didn’t see what I’m trying to ask.

Is there anything (i.e. a config knob) in any current version of BIND that 
allows one to control this ?

My understanding is that on (around ?) the DNS Flag Day of 2/1/19 - BIND won’t 
retry (with EDNS disabled) non-answered EDNS queries - rather it will consider 
them failures ?

I see that as of now there is this knob:

--
server a.b.c.d {
edns no;
};
—

But I’m talking about the behavior described in the DNS Flag day materials.  Is 
that simply going to be changed in code sometime around/on 2/1/19 ?

--
Brandon Applegate - CCIE 10273
PGP Key fingerprint:
0641 D285 A36F 533A 73E5  2541 4920 533C C616 703A
"For thousands of years men dreamed of pacts with demons.
Only now are such things possible."



signature.asc
Description: Message signed with OpenPGP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users