edns0 compliance

[miekg]

the DNS flag day is a thing and as CoreDNS basically just echos back whatever edns0 thing is gets thrown to we need some work here.

https://dnsflagday.net/ with miek.nl shows:

This domain is going to work after the 2019 DNS flag day BUT it does not support the latest DNS standards. As a consequence this domain cannot support the latest security features and might be an easier target for network attackers than necessary, and might face other issues later on. We recommend your domain administrator to fix issues listed in the following
technical report https://ednscomp.isc.org/ednscomp/66b1c1e31c

The Following Tests Failed
Warning: test failures may indicate that some DNS clients cannot resolve the zone or will get a unintended answer or resolution will be slower than necessary.

Warning: failure to address issues identified here may make future DNS extensions that you want to use ineffective. In particular echoing back unknown EDNS options and unknown EDNS flags will break future signaling between DNS client and DNS server. We already have examples of this where you cannot depend on the AD flag bit meaning anything in replies because too many DNS servers just echo it back. Similarly the EDNS Client Subnet (ECS) option cannot just be sent to everyone in part because of servers just echoing it back.

EDNS - Truncated Response (edns@512)
dig +nocookie +norec +noad +dnssec +bufsize=512 +ignore dnskey zone @server
expect: NOERROR
expect: OPT record with version set to 0
expect: UDP DNS message size to be less than or equal to 512 bytes
See RFC6891, 7. Transport Considerations

EDNS - Unknown Option Handling (ednsopt)
dig +nocookie +norec +noad +ednsopt=100 soa zone @server
expect: SOA
expect: NOERROR
expect: OPT record with version set to 0
expect: that the option will not be present in response
See RFC6891, 6.1.2 Wire Format

Codes
ok - test passed.
expire - EDNS EXPIRE supported [RFC7314].
subnet - EDNS Client Subnet supported [RFC7871].
cookie - EDNS COOKIE supported [RFC7873].
noopt - OPT record not found when expected.
echoed - EDNS option echoed back.

[miekg]

See #2373 for further discussion.

[fturib]

NOTE: toggle to edns flag day is on Feb 1st 2019.
Should we raise priority of this ticket ? or #2373 ?
@miekg, @johnbelamaric : what is your opinion ?

[miekg]

[ Quoting <notifications@github.com> in "Re: [coredns/coredns] edns0 complia..." ]

NOTE: toggle to edns flag day is on Feb 1st 2019. Should we raise priority of this ticket ? @miekg, @johnbelamaric : what is your opinion ?

for in-cluster coredns? No.

[johnbelamaric]

It's not going to break anything, so I think it is not super-urgent. But good to fix for sure.

[miekg]

What ticket? I've fixed edns0 compliance

…

On Tue, 15 Jan 2019, 17:40 John Belamaric ***@***.*** wrote: It's not going to break anything, so I think it is not super-urgent. But good to fix for sure. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#2328 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAVkWwrsxcwjDZ04ELy3gRoXgQQCO1dWks5vDhJygaJpZM4Yr3Fo> .

[johnbelamaric]

So...should this be closed? Why is it still open?

[miekg]

/close

…

On Tue, 15 Jan 2019, 17:46 John Belamaric ***@***.*** wrote: So...should this be closed? Why is it still open? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#2328 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAVkW_SHj0LgXz3jDjqQkvDuwL0hTIWVks5vDhQMgaJpZM4Yr3Fo> .