DNS flag day
Ben Croswell
ben.croswell at gmail.com
Fri Jan 18 19:58:02 UTC 2019
I would say we had one provider go as far as saying this whole flag day
thing is a hoax. Not sure what option there is other than voting with your
wallet and moving to a different provider.
May even be worth looking at 2 providers. I see DNS provider redundancy as
being a huge priority after the Dyn DDoS event.
On Fri, Jan 18, 2019, 2:50 PM Lightner, Jeffrey <JLightner at dsservices.com
wrote:
> On checking I find that any of our domains that use Network Solutions’
> Worldnic.com nameservers are reporting failures when checked.
>
> For example this result: https://ednscomp.isc.org/ednscomp/e30c6cf0ea
>
> Other people online have posted about Network Solutions as they also saw
> failures.
>
> On calling Network Solutions today they told me they are compliant despite
> what was reported by https://dnsflagday.net/
>
>
>
> This issue is with domains registered at Network Solutions and using their
> Advanced DNS (i.e. their Worldnic name servers). Other domains we have
> registered with them but pointing to other name servers (i.e. our own BIND
> servers) displayed as compliant.
>
> When I sent them the links they saw what I saw but still claimed they are
> compliant. They refused to send me something in writing stating that so I
> suggested they reach out to ISC regarding the checker’s results if they
> believe they are compliant, but they said they don’t see the need. I’ve
> asked them to escalate and they say they have but I suspect I’ll not hear
> back from them.
>
> Is there a list of known edns compliant Registrar name severs for the
> larger Registrars?
>
> Is it possible the failures seen are false? If so, are there alternate
> edns compliance checkers that might show different responses than
> dnsflagday.net?
>
>
>
>
>
>
>
>
>
> *From:* bind-users <bind-users-bounces at lists.isc.org> * On Behalf Of *Ben
> Croswell
> *Sent:* Friday, January 18, 2019 12:19 PM
> *To:* bind-users at lists.isc.org
> *Subject:* Re: DNS flag day
>
>
>
> I shouldn't have posted so closely to responding to the other user.
>
>
>
> I am not running 9.8. I was replying to them about firewalls in regards to
> their 9.8 issues.
>
>
>
> Was just hoping for a statement of 9.x or greater supports the needed
> badvers signaling etc.
>
>
>
> On Fri, Jan 18, 2019, 12:15 PM Victoria Risk <vicky at isc.org wrote:
>
>
>
> On Jan 18, 2019, at 9:09 AM, Ben Croswell <ben.croswell at gmail.com> wrote:
>
>
>
> Has ISC released minimum viable BIND version for flag day?
>
>
>
> Most versions of BIND authoritative servers, going back years, are EDNS
> compatible. Certainly ALL currently supported versions are compatible. I
> see you are running 9.8, which has been EOL since September, 2014. I think
> that is probably fine, as far as EDNS, however.
>
>
>
> The change in BIND related to DNS Flag Day is removing workarounds from
> resolvers, that will retry without EDNS or otherwise try to proceed even
> when EDNS fails. This change came in the BIND 9.13 development version, and
> will be in BIND 9.14, which is not yet released.
>
>
>
> The problem you are seeing is most likely firewall-related.
>
>
>
> Vicky
>
>
>
>
>
> I looked around and couldn't find anything.
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
>
>
>
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20190118/8ad50597/attachment.html>
More information about the bind-users
mailing list