> On 19 Jan 2019, at 6:58 am, Ben Croswell <ben.crosw...@gmail.com> wrote: > > I would say we had one provider go as far as saying this whole flag day thing > is a hoax. Not sure what option there is other than voting with your wallet > and moving to a different provider.
You can go read the source code and see where the work arounds have been removed. There are a number of sites that will not be resolvable without manual configuration after flag day. As BIND also uses DNS COOKIE those sites that block DNS COOKIE option will be in the list. Also those running old versions of Windows DNS will be problematic as they don’t consistently respond to EDNS queries with FORMERR. They respond *once* then stop responding for a short while. If there is packet loss the server becomes non responsive. > May even be worth looking at 2 providers. I see DNS provider redundancy as > being a huge priority after the Dyn DDoS event. > > On Fri, Jan 18, 2019, 2:50 PM Lightner, Jeffrey <jlight...@dsservices.com > wrote: > On checking I find that any of our domains that use Network Solutions’ > Worldnic.com nameservers are reporting failures when checked. > > For example this result: https://ednscomp.isc.org/ednscomp/e30c6cf0ea > > Other people online have posted about Network Solutions as they also saw > failures. Well the answers to the test queries are *wrong*. The servers DO NOT implement EDNS version negotiation. This isn’t a DNS flag day issue but a future interoperability issue. [beetle:~/git/bind9] marka% dig brewerrepair.com. @207.204.40.143 +edns=1 +noednsne ; <<>> DiG 9.13.1+hotspot+add-prefetch+marka <<>> brewerrepair.com. @207.204.40.143 +edns=1 +noednsne ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37712 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 2800 ;; QUESTION SECTION: ;brewerrepair.com. IN A ;; ANSWER SECTION: brewerrepair.com. 7200 IN A 199.192.145.62 ;; Query time: 836 msec ;; SERVER: 207.204.40.143#53(207.204.40.143) ;; WHEN: Sat Jan 19 07:48:28 AEDT 2019 ;; MSG SIZE rcvd: 61 [beetle:~/git/bind9] marka% You should see a answer like this one from the root servers which *do* implement EDNS fully. [beetle:~/git/bind9] marka% dig brewerrepair.com. @a.root-servers.net +edns=1 +noednsne ; <<>> DiG 9.13.1+hotspot+add-prefetch+marka <<>> brewerrepair.com. @a.root-servers.net +edns=1 +noednsne ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: BADVERS, id: 31554 ;; flags: qr rd ad; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1472 ;; Query time: 184 msec ;; SERVER: 198.41.0.4#53(198.41.0.4) ;; WHEN: Sat Jan 19 07:49:20 AEDT 2019 ;; MSG SIZE rcvd: 23 [beetle:~/git/bind9] marka% > On calling Network Solutions today they told me they are compliant despite > what was reported by https://dnsflagday.net/ Well they are mistaken. > This issue is with domains registered at Network Solutions and using their > Advanced DNS (i.e. their Worldnic name servers). Other domains we have > registered with them but pointing to other name servers (i.e. our own BIND > servers) displayed as compliant. > > When I sent them the links they saw what I saw but still claimed they are > compliant. They refused to send me something in writing stating that so I > suggested they reach out to ISC regarding the checker’s results if they > believe they are compliant, but they said they don’t see the need. I’ve > asked them to escalate and they say they have but I suspect I’ll not hear > back from them. > > Is there a list of known edns compliant Registrar name severs for the larger > Registrars? > > Is it possible the failures seen are false? If so, are there alternate edns > compliance checkers that might show different responses than dnsflagday.net? > > > > > > > > > > From: bind-users <bind-users-boun...@lists.isc.org> On Behalf Of Ben Croswell > Sent: Friday, January 18, 2019 12:19 PM > To: bind-users@lists.isc.org > Subject: Re: DNS flag day > > > > I shouldn't have posted so closely to responding to the other user. > > > > I am not running 9.8. I was replying to them about firewalls in regards to > their 9.8 issues. > > > > Was just hoping for a statement of 9.x or greater supports the needed badvers > signaling etc. > > > > On Fri, Jan 18, 2019, 12:15 PM Victoria Risk <vi...@isc.org wrote: > > > > On Jan 18, 2019, at 9:09 AM, Ben Croswell <ben.crosw...@gmail.com> wrote: > > > > Has ISC released minimum viable BIND version for flag day? > > > > Most versions of BIND authoritative servers, going back years, are EDNS > compatible. Certainly ALL currently supported versions are compatible. I see > you are running 9.8, which has been EOL since September, 2014. I think that > is probably fine, as far as EDNS, however. > > > > The change in BIND related to DNS Flag Day is removing workarounds from > resolvers, that will retry without EDNS or otherwise try to proceed even when > EDNS fails. This change came in the BIND 9.13 development version, and will > be in BIND 9.14, which is not yet released. > > > > The problem you are seeing is most likely firewall-related. > > > > Vicky > > > > > > I looked around and couldn't find anything. > > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > > > > > > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
