Hi Roberto,
You are correct in that the DNS Flag day tester at https://dnsflagday.net/
is reporting the closed TCP port as a serious problem. Given that the TCP
port is closed, obviously the EDNS test over TCP fails too and the error
given by the site would be something like: edns512tcp=timeout
T
rfc6891 states that it uses TCP to avoid truncated UDP responses. It is all
about packet size,fragmentation and network load.
EDNS(0) specifies a way to advertise additional features such as
larger response size capability, which is intended to help avoid
truncated UDP responses, which
Ben, thanks a lot !!!
Regards
On Mon, Feb 4, 2019 at 11:04 AM Ben Croswell wrote:
> When a DNS response is too large to fit in a single UDP packet, 512 bytes
> up to 4k with edns, the DNS server will respond with as much as it can fit
> in the UDP packet. It will also set the truncate, TC, bit
When a DNS response is too large to fit in a single UDP packet, 512 bytes
up to 4k with edns, the DNS server will respond with as much as it can fit
in the UDP packet. It will also set the truncate, TC, bit to let the client
doing the query that the answer is truncated and the client should query
a
Just about anything (if it is large enough).
r
On 2019-02-04 08:56 AM, Roberto Carna wrote:
Thanks Ben for your response, can you tell me the types of TCP traffic I have
to expect in BIND, excepting Zone Tansfer?
Thans a lot again!!!
El lun., 4 feb. 2019 a las 10:50, Ben Croswell
(mailt
Thanks Ben for your response, can you tell me the types of TCP traffic I
have to expect in BIND, excepting Zone Tansfer?
Thans a lot again!!!
El lun., 4 feb. 2019 a las 10:50, Ben Croswell ()
escribió:
> BIND has always required UDP and TCP 53 for proper functionality. It
> sometimes mistakenly
BIND has always required UDP and TCP 53 for proper functionality. It
sometimes mistakenly believed that TCP is only for zone transfers but that
is not the case.
On Mon, Feb 4, 2019, 8:46 AM Roberto Carna Dear, I have a BIND 9.10 public server and I have delegated some public
> domains.
>
> When I
On 28.01.19 13:28, Umut Arus wrote:
Don't forget check your IPS. Some IPS rules and tcp ACL can block the
requests. For example, our Checkpoint IPS stopped the requests.
were they requests from you as client or to you as server?
On Mon, Jan 28, 2019 at 1:14 PM Matus UHLAR - fantomas via bind-
Hi,
Don't forget check your IPS. Some IPS rules and tcp ACL can block the
requests. For example, our Checkpoint IPS stopped the requests.
regards.
On Mon, Jan 28, 2019 at 1:14 PM Matus UHLAR - fantomas via bind-users <
bind-users@lists.isc.org> wrote:
> On 28.01.19 09:25, MEjaz wrote:
> >For th
On 28.01.19 09:25, MEjaz wrote:
For the upcoming DNS Flag Day on February 1st, 2019. Is there any impact on
the user whose using bind name servers.
As per the infoblox DNS service, they will not be impacted on DNS Flag day.
So Do I need configure support for EDNS0 standards? In bind if yes ho
Thanks a lot!
El jue., 24 ene. 2019 a las 16:24, Evan Hunt () escribió:
> On Thu, Jan 24, 2019 at 10:53:49AM -0300, Roberto Carna wrote:
> > Dear, I've just worked around on my public BIND DNS's in order to solve
> the
> > problem of DNS Flag Day.
> >
> > But I have a pair of private DNS (BIND an
On Thu, Jan 24, 2019 at 10:53:49AM -0300, Roberto Carna wrote:
> Dear, I've just worked around on my public BIND DNS's in order to solve the
> problem of DNS Flag Day.
>
> But I have a pair of private DNS (BIND and Windows) that respond to
> internal queries and also forward non authoritative quer
ifferent responses than dnsflagday.net?
>
>
>
>
>
>
>
>
>
> From: bind-users On Behalf Of Ben Croswell
> Sent: Friday, January 18, 2019 12:19 PM
> To: bind-users@lists.isc.org
> Subject: Re: DNS flag day
>
>
>
> I shouldn't h
>> so I suggested they reach out to ISC regarding the checker’s results if
>>>> they believe they are compliant, but they said they don’t see the need.
>>>> I’ve asked them to escalate and they say they have but I suspect I’ll not
>>>> hear back from them.
>>
the need.
>>> I’ve asked them to escalate and they say they have but I suspect I’ll not
>>> hear back from them.
>>>
>>> Is there a list of known edns compliant Registrar name severs for the
>>> larger Registrars?
>>>
>>> Is it possible the failures
t I suspect I’ll not hear
>> back from them.
>>
>> Is there a list of known edns compliant Registrar name severs for the
>> larger Registrars?
>>
>> Is it possible the failures seen are false? If so, are there alternate
>> edns compliance checkers that might s
lagday.net?
>
>
>
>
>
>
>
>
>
> *From:* bind-users * On Behalf Of *Ben
> Croswell
> *Sent:* Friday, January 18, 2019 12:19 PM
> *To:* bind-users@lists.isc.org
> *Subject:* Re: DNS flag day
>
>
>
> I shouldn't have posted so closely to respond
? If so, are there alternate edns
compliance checkers that might show different responses than dnsflagday.net?
From: bind-users On Behalf Of Ben Croswell
Sent: Friday, January 18, 2019 12:19 PM
To: bind-users@lists.isc.org
Subject: Re: DNS flag day
I shouldn't have posted so close
> On Jan 18, 2019, at 9:18 AM, Ben Croswell wrote:
>
> I shouldn't have posted so closely to responding to the other user.
Oh, my mistake. How is this for a definitve statement?
BIND 9 was designed to be EDNS compliant from very beginning. All
currently-supported branches of BIND 9 are EDNS
I shouldn't have posted so closely to responding to the other user.
I am not running 9.8. I was replying to them about firewalls in regards to
their 9.8 issues.
Was just hoping for a statement of 9.x or greater supports the needed
badvers signaling etc.
On Fri, Jan 18, 2019, 12:15 PM Victoria Ri
> On Jan 18, 2019, at 9:09 AM, Ben Croswell wrote:
>
> Has ISC released minimum viable BIND version for flag day?
Most versions of BIND authoritative servers, going back years, are EDNS
compatible. Certainly ALL currently supported versions are compatible. I see
you are running 9.8, which has
Correct, there are no knobs in 9.13/9.14 for automatic fallback.
Apart from a few very old Microsoft Windows DNS servers that don’t respond
consistently to EDNS queries (they respond with FORMERR to the first query then
don’t respond for a while to subsequent EDNS queries) there aren’t many ser
22 matches
Mail list logo
