DNS Flag Day, Friday, Feb 1st, 2019

• Previous message (by thread): DNS Flag Day, Friday, Feb 1st, 2019
• Next message (by thread): DNS Flag Day, Friday, Feb 1st, 2019
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> On 24 Jan 2019, at 9:02 pm, Mike Meredith <mike.meredith at port.ac.uk> wrote:
> 
> On Thu, 24 Jan 2019 11:22:44 +1100, Mark Andrews <marka at isc.org> may have
> written:
>> If you run a firewall in front of your DNS server you may be broken.
> 
> If you run a firewall in front of your DNS server and the firewall breaks
> EDNS, then your firewall is broken. And has been a long, long time. I put a
> firewall in place back in 2004, and EDNS compliance was one of the tests
> back then.

EDNS usage has changed since them.  Back in 2004 there was zero use of EDNS
options in queries.  That is no longer true.  NSID (RFC 5001) the first option
to make it into main stream code was allocated in 2007 and that saw occasional
use.  DNS COOKIE has been in every query named has emitted since BIND 9.11.0 and
in late BIND 9.10 versions.  Lots of firewalls still reject it.

> -- 
> Mike Meredith, University of Portsmouth
> Chief Systems Engineer, Hostmaster, Security, and Timelord!
> 

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org

• Previous message (by thread): DNS Flag Day, Friday, Feb 1st, 2019
• Next message (by thread): DNS Flag Day, Friday, Feb 1st, 2019
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]