26 Jan
2019
26 Jan
'19
3:12 a.m.
The problem lies outside of Linux distributions, the
problem lies with
over aggressive firewalls (or poorly designed firewalls) that don't
allow or understand DNS Extensions.
And with old DNS server versions that do not allow them either, I think.
And that seems to be the case for the abovementioned domains.
(or there is such an overly agressive firewall in front of them)
This email was sent to you from a Debian Stretch
(earlier in the food
chain than Jessie) server using DNS servers running various versions of
Linux DNS software behind simple iptables firewalls that don't strip
off DNS Extension bits.
I am running Debian Buster on my own machine at home, even newer, and I have
no problems either. But on our AMPRnet gateway (which has Debian Jessie)
there is a DNS server/resolver (bind 9.9.5) which logs EDNS warning about
the abovementioned domains, and it was my impression that after this flag
day those warnings would be turned into errors for those domains.
But of course that would only happen when Debian decide to replace the bind
package on Jessie with a new version that has been amended according to the
message that Brian sent (9.14.0). I am not so convinced that this is going to
happen, but I have not researched that fully.
When I understand correctly, major resolvers like 1.1.1.1, 8.8.8.8 and 9.9.9.9
would make that change on Feb 1st, so those that use these resolvers will be
affected immediately on Feb 1st.
Well, we will see. The number of EDNS warnings (and warnings about DNSSEC issues)
has gone down quite a bit in the last months, so apparently work has been done
in a lot of places already.
Rob
26 Jan
26 Jan
9:22 a.m.
New subject: DNS Flag Day, Feb 1st, 2019
On Sat, 2019-01-26 at 10:12 +0100, Rob Janssen wrote:
But on our AMPRnet gateway (which has Debian Jessie)
there is a DNS server/resolver (bind 9.9.5)
Ouch. Bind v9.9.5 is ~10 years old... sure Debian applies patches, but
man that's way too old, even ISC would heavily advise against it. Why
can't that gateway be upgraded to Stretch or Buster? I'm willing to
help if help is needed.
But of course that would only happen when Debian
decide to replace
the bind package on Jessie with a new version that has been amended
according to the message that Brian sent (9.14.0). I am not so
convinced that this is going to happen, but I have not researched
that fully.
I can assure you that that your thoughts are correct on this. Debian
will patch patch patch bind v9.5.5, right up to the end of LTS support,
but never move to a newer major version. It's not in their mindset to
do such. ;-)
-Jim P.
9:01 p.m.
New subject: DNS Flag Day, Feb 1st, 2019
I'm still running bind 9.9.5 (Ubuntu server) and have absolutely no problem
with my commercial domain names, zero warnings or errors.
* This domain is perfectly ready, you do not need to worry about DNS flag day 2019.
* Your DNS administrator is doing a good job, send him a sincere thank you ;-)
Bob
On 2019-01-26 4:12 a.m., Rob Janssen wrote:
The problem
lies outside of Linux distributions, the problem lies with
over aggressive firewalls (or poorly designed firewalls) that don't
allow or understand DNS Extensions.
And with old DNS server versions that do not allow them either, I think.
And that seems to be the case for the abovementioned domains.
(or there is such an overly agressive firewall in front of them)
This email was sent to you from a Debian Stretch
(earlier in the food
chain than Jessie) server using DNS servers running various versions of
Linux DNS software behind simple iptables firewalls that don't strip
off DNS Extension bits.
I am running Debian Buster on my own machine at home, even newer, and I have
no problems either. But on our AMPRnet gateway (which has Debian Jessie)
there is a DNS server/resolver (bind 9.9.5) which logs EDNS warning about
the abovementioned domains, and it was my impression that after this flag
day those warnings would be turned into errors for those domains.
But of course that would only happen when Debian decide to replace the bind
package on Jessie with a new version that has been amended according to the
message that Brian sent (9.14.0). I am not so convinced that this is going to
happen, but I have not researched that fully.
When I understand correctly, major resolvers like 1.1.1.1, 8.8.8.8 and 9.9.9.9
would make that change on Feb 1st, so those that use these resolvers will be
affected immediately on Feb 1st.
Well, we will see. The number of EDNS warnings (and warnings about DNSSEC issues)
has gone down quite a bit in the last months, so apparently work has been done
in a lot of places already.
Rob
_________________________________________
44Net mailing list
44Net(a)mailman.ampr.org
https://mailman.ampr.org/mailman/listinfo/44net
2127
days inactive
2128
days old
2 comments
3 participants
participants (3)
-
Boudewijn (Bob) Tenty -
Jim Popovitch -
Rob Janssen