[info] DNS flag day aka EDNS compliance approaching (2019-02-01) - CoreDNS compliant ;)

[stp-ip]

Just wanted to have this available until mid february to let people know more about it and let them switch to a compliant DNS server *cough* CoreDNS (compliance issue #2328).

The current DNS is unnecessarily slow and suffers from inability to deploy new features. To remediate >these problems, vendors of DNS software and also big public DNS providers are going to remove >certain workarounds on February 1st, 2019.

Aka EDNS workarounds won't be provided in the latest version of various providers and implementations. That means a hard cut-off for old (say mostly 15y+ old clients).

Take a look at more information, which providers are supporting this and a checking tool to check your compliance: https://dnsflagday.net/

[miekg]

[ Quoting <notifications@github.com> in "[coredns/coredns] [info] DNS flag d..." ]

Just wanted to have this available until mid february to let people know more about it and let them switch to a compliant DNS server \*cough* CoreDNS (compliance issue #2328). > >The current DNS is unnecessarily slow and suffers from inability to deploy new features. To remediate >these problems, vendors of DNS software and also big public DNS providers are going to remove >certain workarounds on February 1st, 2019. Aka EDNS workarounds won't be provided in the latest version of various providers and implementations. That means a hard cut-off for old (say mostly 15y+ old clients). Take a look at more information, which providers are supporting this and a checking tool to check your compliance: https://dnsflagday.net/

We should be good here. I did a bunch of work and test to get into compliance; at least the test tool doesn't scream at coredns anymore.

[miekg]

/close

[dongsrazor]

got some zflag=formerr,z

miek.nl. @176.58.119.54 (linode.atoom.net.): dns=ok zflag=formerr,z edns=ok edns1=ok edns@512=ok ednsopt=ok edns1opt=ok do=ok ednsflags=ok docookie=ok edns512tcp=ok optlist=ok
miek.nl. @2a01:7e00::f03c:91ff:fe79:234c (linode.atoom.net.): dns=ok zflag=formerr,z edns=ok edns1=ok edns@512=ok ednsopt=ok edns1opt=ok do=ok ednsflags=ok docookie=ok edns512tcp=ok optlist=ok

The Following Tests Failed
Warning: test failures may indicate that some DNS clients cannot resolve the zone or will get a unintended answer or resolution will be slower than necessary.

Warning: failure to address issues identified here may make future DNS extensions that you want to use ineffective. In particular echoing back unknown EDNS options and unknown EDNS flags will break future signaling between DNS client and DNS server. We already have examples of this where you cannot depend on the AD flag bit meaning anything in replies because too many DNS servers just echo it back. Similarly the EDNS Client Subnet (ECS) option cannot just be sent to everyone in part because of servers just echoing it back.

Plain DNS with last reserved header bit set (zflag)
dig +norec +noad +noedns +zflag soa zone @server
expect: SOA
expect: NOERROR
expect: Z bit to be clear in response
See RFC1035, 4.1.1. Header section format

Codes
ok - test passed.
expire - EDNS EXPIRE supported [RFC7314].
subnet - EDNS Client Subnet supported [RFC7871].
cookie - EDNS COOKIE supported [RFC7873].
z - DNS header flag echoed back.

To retrieve this report in the future: https://ednscomp.isc.org/ednscomp/35d1cad5e5

[miekg]

[ Quoting <notifications@github.com> in "Re: [coredns/coredns] [info] DNS fl..." ]

got some zflag=formerr,z

Known, and fixed with miekg/dns#976