Installing bind is not very clear for me

Mark Andrews marka at isc.org
Sat Sep 5 00:22:10 UTC 2015 

There are stupid firewalls that drop DNS queries with the last
reserved bit set.  This should be ignored by the nameserver.

There are stupid firewalls that drop DNS queries with DO=1.
This breaks DNSSEC.  Most of these are gone now but some still
exist.  They took years to effectively remove from the eco-system
and in the meantime resolver vendors had to code around them.

There are stupid firewalls that drop DNS queries with the AD=1.
This breaks RFC 6840, AD signalling that answer are secure.

There are stupid firewalls that drop DNS queries with a EDNS flag
bit set.  This breaks RFC2671/RFC6891.  Documented as to be ignored.

There are stupid firewalls that drop DNS queries with a EDNS version
not equal zero.  This breaks RFC2671/RFC6891 EDNS version negotiation.
BADVERS is documented response.  If you EDNS(0) to a non EDNS aware
server there is no reason to not let through EDNS(1) as they are
equally as "dangerous" to such a server.  If the server is EDNS
aware it should just return BADVERS.

There are stupid firewalls that drop DNS queries with unknown EDNS
options This breaks RFC6891 (RFC2671 was silent on this).  Unknown
options are supposed to be ignored.

There are stupid firewalls that drop DNS queries that are not in
some type list.  This breaks RFC 1034/RFC 1035.  The DNS is a query
response protocol.  

These firewalls are not providing any "security" benefit to anyone
by doing this.  All they are doing is stuffing up the ability to
deploy protocol extensions.  Require resolver vendors to deploy
hacks to try to determine the packet loss is due to a DNS feature
or just normal packet loss due to congestion / bad checksums.  Make
DNS resolution slower and cause DNSSEC validation to fail when the
hacks make the wrong determination of the packet loss causes.

You can find graphs which a lot of this breakage here as well
as a tester.  See https://ednscomp.isc.org/

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list