DNS Flag Day, Friday, Feb 1st, 2019

• Previous message (by thread): DNS Flag Day, Friday, Feb 1st, 2019
• Next message (by thread): DNS Flag Day, Friday, Feb 1st, 2019
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Jan 31, 2019 at 10:33 AM James Stahr <stahr at mailbag.com> wrote:
[snip]
> So is the tool right in saying that TCP/53 is a absolute requirement of
> ENDS0 support for "DNS Flag Day"?  If so, do we expect a dramatic
> increases in TCP/53 requests over UDP/53 queries?  Or is the tool flawed
[snip]

Their test tool will obviously alert on more error conditions than
what the Flag Day is
specifically about --   One or more of your DNS servers not responding
[OR] TCP/53 not
working are still broken configurations,   But  the brokenness is
unrelated to what the flag
day is about -  In the first case,  better safe than sorry, I suppose:
 Inability to complete
one or more of the tests because of brokenness definitely means that
things are broken.

TCP/53 is a fairly strong requirement,  except if you are supporting
an authoritative-only
server with  no record labels that could result in a >512byte
response, plus no DNSSEC-secured zones,
and even then the AXFR protocol for replication to secondary servers
calls for TCP.

EDNS support is not required.   Authoritative servers that don't support EDNS
and are also compliant with the original DNS standard continue to work
after the workarounds are removed.

The relevant standard does not allow for silently ignoring requests
that contain the EDNS option;
patching the bug in a broken server does not necessarily entail the
larger task of adding EDNS support
-- achieving consistence compliance with either the DNS standard
before EDNS, or the DNS standard after
EDNS, is the requirement.

There are two ways for a DNS server to relay the DNS responses larger
than 512 bytes....
1. The server replies with a truncated message with the truncate bit
set, and the client connects
to you over TCP to make the DNS request,    OR   The client provided
the EDNS option with a larger packet size,
and you support that, so you send a large UDP reply instead.

A DNS server must support the first of these methods  (The second is
preferable but optional,  and support
for the first method over TCP is mandatory)  if you could ever be
required to handle
a DNS message whose reply is larger than 512 bytes:

All  recursive resolvers fall into this category, and with DNSSEC +
IPv6,   many common queries
will result in an answer longer than the original 512 byte limit of UDP.

--
-JH

• Previous message (by thread): DNS Flag Day, Friday, Feb 1st, 2019
• Next message (by thread): DNS Flag Day, Friday, Feb 1st, 2019
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]