Re: CH/TXT/VERSION.SERVER queries
On 21/11/2022 17:26, Petr Špaček wrote: Speaking of default CHAOS zones, I have another idea: Do we need them after NSID was standardized? Yes. There is a lot of special code just for built-in CH zones, and IIRC we have had at least one CVE which affected default config only because of default CH usage. Anand, what would be missing if special magic for CH is removed and you are left with standard NSID? We'd need to retool every system that relies on hostname.bind queries working on the root system, for a start. RIPE Atlas probes use these queries, and there are several systems (our own included) that work off this data. For other researchers, automated queries for hostname.bind (or hostname.server) are trivially excluded from analysis of query data based on the QNAME, whereas any query might include an NSID option. Also, *.server CH TXT is actually in an RFC (4892). Nothing has obsoleted that, and I'd object loudly if anyone tried ;- Ray -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: CH/TXT/VERSION.SERVER queries
Speaking of default CHAOS zones, I have another idea: Do we need them after NSID was standardized? There is a lot of special code just for built-in CH zones, and IIRC we have had at least one CVE which affected default config only because of default CH usage. Anand, what would be missing if special magic for CH is removed and you are left with standard NSID? Petr Špaček On 14. 11. 22 17:39, Ondřej Surý wrote: Hi Anand, correct me if I am wrong, but the VERSION.SERVER doesn't seem to be anywhere documented[1], and you are the first one to request it[2]. 1. RFC 4892 only talks about ID.SERVER 2. Please create a GitLab issue for tracking Ondrej -- Ondřej Surý (He/Him) ond...@isc.org My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours. On 14. 11. 2022, at 17:33, Anand Buddhdev wrote: Hi folks (especially BIND developers), Apologies if this has been discussed and answered before. I just noticed that BIND doesn't respond to CH/TXT/VERSION.SERVER queries. It only responds to ID.SERVER. Other name servers, such as Knot DNS, NSD, Verisign's ATLAS name server, Quad9's and Cloudflare's public resolvers, respond to VERSION.SERVER queries. So what's the reason for BIND not responding to VERSION.SERVER queries? It seems like an anomaly or oversight. Regards, Anand -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: CH/TXT/VERSION.SERVER queries
Hi Anand, correct me if I am wrong, but the VERSION.SERVER doesn't seem to be anywhere documented[1], and you are the first one to request it[2]. 1. RFC 4892 only talks about ID.SERVER 2. Please create a GitLab issue for tracking Ondrej -- Ondřej Surý (He/Him) ond...@isc.org My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours. > On 14. 11. 2022, at 17:33, Anand Buddhdev wrote: > > Hi folks (especially BIND developers), > > Apologies if this has been discussed and answered before. I just noticed that > BIND doesn't respond to CH/TXT/VERSION.SERVER queries. It only responds to > ID.SERVER. > > Other name servers, such as Knot DNS, NSD, Verisign's ATLAS name server, > Quad9's and Cloudflare's public resolvers, respond to VERSION.SERVER queries. > > So what's the reason for BIND not responding to VERSION.SERVER queries? It > seems like an anomaly or oversight. > > Regards, > Anand > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
CH/TXT/VERSION.SERVER queries
Hi folks (especially BIND developers), Apologies if this has been discussed and answered before. I just noticed that BIND doesn't respond to CH/TXT/VERSION.SERVER queries. It only responds to ID.SERVER. Other name servers, such as Knot DNS, NSD, Verisign's ATLAS name server, Quad9's and Cloudflare's public resolvers, respond to VERSION.SERVER queries. So what's the reason for BIND not responding to VERSION.SERVER queries? It seems like an anomaly or oversight. Regards, Anand -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
