diff --git a/CHANGES b/CHANGES
index a17df7937a..5e55faa14a 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,10 @@
+5029. [func] Workarounds for servers that misbehave when queried
+ with EDNS have been removed, because these broken
+ servers and the workarounds for their noncompliance
+ cause unnecessary delays, increase code complexity,
+ and prevent deployment of new DNS features. See
+ https://dnsflagday.net for further details. [GL #150]
+
5028. [bug] Spread the initial RRSIG expiration times over the
entire working sig-validity-interval when signing a
zone in named to even out re-signing and transfer
diff --git a/bin/named/main.c b/bin/named/main.c
index 4cb4846310..aa131988b0 100644
--- a/bin/named/main.c
+++ b/bin/named/main.c
@@ -122,14 +122,17 @@ static int maxudp = 0;
*/
static bool clienttest = false;
static bool dropedns = false;
-static bool noedns = false;
-static bool nosoa = false;
-static bool noaa = false;
-static unsigned int delay = 0;
-static bool nonearest = false;
-static bool notcp = false;
+static bool ednsformerr = false;
+static bool ednsnotimp = false;
+static bool ednsrefused = false;
static bool fixedlocal = false;
+static bool noaa = false;
+static bool noedns = false;
+static bool nonearest = false;
+static bool nosoa = false;
+static bool notcp = false;
static bool sigvalinsecs = false;
+static unsigned int delay = 0;
/*
* -4 and -6
@@ -488,6 +491,12 @@ parse_T_opt(char *option) {
dropedns = true;
} else if (!strncmp(option, "dscp=", 5)) {
isc_dscp_check_value = atoi(option + 5);
+ } else if (!strcmp(option, "ednsformerr")) {
+ ednsformerr = true;
+ } else if (!strcmp(option, "ednsnotimp")) {
+ ednsnotimp = true;
+ } else if (!strcmp(option, "ednsrefused")) {
+ ednsrefused = true;
} else if (!strcmp(option, "fixedlocal")) {
fixedlocal = true;
} else if (!strcmp(option, "keepstderr")) {
@@ -547,7 +556,7 @@ parse_T_opt(char *option) {
} else if (!strncmp(option, "tat=", 4)) {
named_g_tat_interval = atoi(option + 4);
} else {
- fprintf(stderr, "unknown -T flag '%s\n", option);
+ fprintf(stderr, "unknown -T flag '%s'\n", option);
}
}
@@ -1159,24 +1168,30 @@ setup(void) {
*/
if (clienttest)
ns_server_setoption(sctx, NS_SERVER_CLIENTTEST, true);
- if (dropedns)
- ns_server_setoption(sctx, NS_SERVER_DROPEDNS, true);
- if (noedns)
- ns_server_setoption(sctx, NS_SERVER_NOEDNS, true);
- if (nosoa)
- ns_server_setoption(sctx, NS_SERVER_NOSOA, true);
- if (noaa)
- ns_server_setoption(sctx, NS_SERVER_NOAA, true);
- if (nonearest)
- ns_server_setoption(sctx, NS_SERVER_NONEAREST, true);
- if (notcp)
- ns_server_setoption(sctx, NS_SERVER_NOTCP, true);
- if (fixedlocal)
- ns_server_setoption(sctx, NS_SERVER_FIXEDLOCAL, true);
if (disable4)
ns_server_setoption(sctx, NS_SERVER_DISABLE4, true);
if (disable6)
ns_server_setoption(sctx, NS_SERVER_DISABLE6, true);
+ if (dropedns)
+ ns_server_setoption(sctx, NS_SERVER_DROPEDNS, true);
+ if (ednsformerr) /* STD13 server */
+ ns_server_setoption(sctx, NS_SERVER_EDNSFORMERR, true);
+ if (ednsnotimp)
+ ns_server_setoption(sctx, NS_SERVER_EDNSNOTIMP, true);
+ if (ednsrefused)
+ ns_server_setoption(sctx, NS_SERVER_EDNSREFUSED, true);
+ if (fixedlocal)
+ ns_server_setoption(sctx, NS_SERVER_FIXEDLOCAL, true);
+ if (noaa)
+ ns_server_setoption(sctx, NS_SERVER_NOAA, true);
+ if (noedns)
+ ns_server_setoption(sctx, NS_SERVER_NOEDNS, true);
+ if (nonearest)
+ ns_server_setoption(sctx, NS_SERVER_NONEAREST, true);
+ if (nosoa)
+ ns_server_setoption(sctx, NS_SERVER_NOSOA, true);
+ if (notcp)
+ ns_server_setoption(sctx, NS_SERVER_NOTCP, true);
if (sigvalinsecs)
ns_server_setoption(sctx, NS_SERVER_SIGVALINSECS, true);
diff --git a/bin/tests/system/ifconfig.sh b/bin/tests/system/ifconfig.sh
index 478ab56c61..e8232f87bd 100755
--- a/bin/tests/system/ifconfig.sh
+++ b/bin/tests/system/ifconfig.sh
@@ -12,10 +12,10 @@
#
# Set up interface aliases for bind9 system tests.
#
-# IPv4: 10.53.0.{1..8} RFC 1918
+# IPv4: 10.53.0.{1..10} RFC 1918
# 10.53.1.{0..2}
# 10.53.2.{0..2}
-# IPv6: fd92:7065:b8e:ffff::{1..8} ULA
+# IPv6: fd92:7065:b8e:ffff::{1..10} ULA
# fd92:7065:b8e:99ff::{1..2}
# fd92:7065:b8e:ff::{1..2}
#
@@ -65,7 +65,7 @@ case "$1" in
2) ipv6="00" ;;
*) ipv6="" ;;
esac
- for ns in 1 2 3 4 5 6 7 8
+ for ns in 1 2 3 4 5 6 7 8 9 10
do
[ $i -gt 0 -a $ns -gt 2 ] && break
int=`expr $i \* 10 + $ns`
@@ -171,7 +171,7 @@ case "$1" in
2) ipv6="00" ;;
*) ipv6="" ;;
esac
- for ns in 8 7 6 5 4 3 2 1
+ for ns in 10 9 8 7 6 5 4 3 2 1
do
[ $i -gt 0 -a $ns -gt 2 ] && continue
int=`expr $i \* 10 + $ns - 1`
diff --git a/bin/tests/system/legacy/clean.sh b/bin/tests/system/legacy/clean.sh
index 79432ec397..ad7ef8540d 100644
--- a/bin/tests/system/legacy/clean.sh
+++ b/bin/tests/system/legacy/clean.sh
@@ -8,9 +8,9 @@
# information regarding copyright ownership.
rm -f dig.out.*
-rm -f ns?/named.conf
-rm -f ns?/named.memstats
-rm -f ns?/named.run
+rm -f ns*/named.conf
+rm -f ns*/named.memstats
+rm -f ns*/named.run
rm -f ns*/named.lock
# build.sh
diff --git a/bin/tests/system/legacy/ns1/root.db b/bin/tests/system/legacy/ns1/root.db
index 78ae65b8a1..e4889a8f2a 100644
--- a/bin/tests/system/legacy/ns1/root.db
+++ b/bin/tests/system/legacy/ns1/root.db
@@ -23,3 +23,9 @@ edns512. NS ns.edns512.
ns.edns512. A 10.53.0.6
edns512-notcp. NS ns.edns512-notcp.
ns.edns512-notcp. A 10.53.0.7
+ednsformerr. NS ns.ednsformerr.
+ns.ednsformerr. A 10.53.0.8
+ednsnotimp. NS ns.ednsnotimp.
+ns.ednsnotimp. A 10.53.0.9
+ednsrefused. NS ns.ednsrefused.
+ns.ednsrefused. A 10.53.0.10
diff --git a/bin/tests/system/legacy/ns10/ednsrefused.db b/bin/tests/system/legacy/ns10/ednsrefused.db
new file mode 100644
index 0000000000..caac70d26a
--- /dev/null
+++ b/bin/tests/system/legacy/ns10/ednsrefused.db
@@ -0,0 +1,12 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+@ 60 SOA ns marka.isc.org. 1 0 0 0 0
+@ 60 NS ns
+ns 60 A 10.53.0.8
diff --git a/bin/tests/system/legacy/ns10/named.conf.in b/bin/tests/system/legacy/ns10/named.conf.in
new file mode 100644
index 0000000000..e7bf8b256a
--- /dev/null
+++ b/bin/tests/system/legacy/ns10/named.conf.in
@@ -0,0 +1,27 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+ query-source address 10.53.0.10;
+ notify-source 10.53.0.10;
+ transfer-source 10.53.0.10;
+ port @PORT@;
+ pid-file "named.pid";
+ listen-on { 10.53.0.10; };
+ listen-on-v6 { none; };
+ recursion no;
+ dnssec-validation no;
+};
+
+zone "ednsrefused" {
+ type master;
+ file "ednsrefused.db";
+};
diff --git a/bin/tests/system/legacy/ns10/named.ednsrefused b/bin/tests/system/legacy/ns10/named.ednsrefused
new file mode 100644
index 0000000000..6b43ac06d0
--- /dev/null
+++ b/bin/tests/system/legacy/ns10/named.ednsrefused
@@ -0,0 +1 @@
+ednsrefused
diff --git a/bin/tests/system/legacy/ns8/ednsformerr.db b/bin/tests/system/legacy/ns8/ednsformerr.db
new file mode 100644
index 0000000000..caac70d26a
--- /dev/null
+++ b/bin/tests/system/legacy/ns8/ednsformerr.db
@@ -0,0 +1,12 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+@ 60 SOA ns marka.isc.org. 1 0 0 0 0
+@ 60 NS ns
+ns 60 A 10.53.0.8
diff --git a/bin/tests/system/legacy/ns8/named.conf.in b/bin/tests/system/legacy/ns8/named.conf.in
new file mode 100644
index 0000000000..dc4ce6b37b
--- /dev/null
+++ b/bin/tests/system/legacy/ns8/named.conf.in
@@ -0,0 +1,27 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+ query-source address 10.53.0.8;
+ notify-source 10.53.0.8;
+ transfer-source 10.53.0.8;
+ port @PORT@;
+ pid-file "named.pid";
+ listen-on { 10.53.0.8; };
+ listen-on-v6 { none; };
+ recursion no;
+ dnssec-validation no;
+};
+
+zone "ednsformerr" {
+ type master;
+ file "ednsformerr.db";
+};
diff --git a/bin/tests/system/legacy/ns8/named.ednsformerr b/bin/tests/system/legacy/ns8/named.ednsformerr
new file mode 100644
index 0000000000..e35cb0253a
--- /dev/null
+++ b/bin/tests/system/legacy/ns8/named.ednsformerr
@@ -0,0 +1 @@
+ednsformerr
diff --git a/bin/tests/system/legacy/ns9/ednsnotimp.db b/bin/tests/system/legacy/ns9/ednsnotimp.db
new file mode 100644
index 0000000000..caac70d26a
--- /dev/null
+++ b/bin/tests/system/legacy/ns9/ednsnotimp.db
@@ -0,0 +1,12 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+@ 60 SOA ns marka.isc.org. 1 0 0 0 0
+@ 60 NS ns
+ns 60 A 10.53.0.8
diff --git a/bin/tests/system/legacy/ns9/named.conf.in b/bin/tests/system/legacy/ns9/named.conf.in
new file mode 100644
index 0000000000..34ac3af85e
--- /dev/null
+++ b/bin/tests/system/legacy/ns9/named.conf.in
@@ -0,0 +1,27 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+ query-source address 10.53.0.9;
+ notify-source 10.53.0.9;
+ transfer-source 10.53.0.9;
+ port @PORT@;
+ pid-file "named.pid";
+ listen-on { 10.53.0.9; };
+ listen-on-v6 { none; };
+ recursion no;
+ dnssec-validation no;
+};
+
+zone "ednsnotimp" {
+ type master;
+ file "ednsnotimp.db";
+};
diff --git a/bin/tests/system/legacy/ns9/named.ednsnotimp b/bin/tests/system/legacy/ns9/named.ednsnotimp
new file mode 100644
index 0000000000..4e6424dc6f
--- /dev/null
+++ b/bin/tests/system/legacy/ns9/named.ednsnotimp
@@ -0,0 +1 @@
+ednsnotimp
diff --git a/bin/tests/system/legacy/setup.sh b/bin/tests/system/legacy/setup.sh
index b41da9eb86..0770f46290 100644
--- a/bin/tests/system/legacy/setup.sh
+++ b/bin/tests/system/legacy/setup.sh
@@ -15,10 +15,12 @@ SYSTEMTESTTOP=..
$SHELL clean.sh
copy_setports ns1/named1.conf.in ns1/named.conf
-
copy_setports ns2/named.conf.in ns2/named.conf
copy_setports ns3/named.conf.in ns3/named.conf
copy_setports ns4/named.conf.in ns4/named.conf
copy_setports ns5/named.conf.in ns5/named.conf
copy_setports ns6/named.conf.in ns6/named.conf
copy_setports ns7/named.conf.in ns7/named.conf
+copy_setports ns8/named.conf.in ns8/named.conf
+copy_setports ns9/named.conf.in ns9/named.conf
+copy_setports ns10/named.conf.in ns10/named.conf
diff --git a/bin/tests/system/legacy/tests.sh b/bin/tests/system/legacy/tests.sh
index 09728e098a..1f860bcd29 100755
--- a/bin/tests/system/legacy/tests.sh
+++ b/bin/tests/system/legacy/tests.sh
@@ -17,6 +17,60 @@ DIGOPTS="-p ${PORT}"
status=0
n=0
+n=`expr $n + 1`
+echo_i "checking formerr edns server setup ($n)"
+ret=0
+$DIG $DIGOPTS +edns @10.53.0.8 ednsformerr soa > dig.out.1.test$n || ret=1
+grep "status: FORMERR" dig.out.1.test$n > /dev/null || ret=1
+$DIG $DIGOPTS +noedns @10.53.0.8 ednsformerr soa > dig.out.2.test$n || ret=1
+grep "status: NOERROR" dig.out.2.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking recursive lookup to formerr edns server succeeds ($n)"
+ret=0
+$DIG $DIGOPTS +tcp @10.53.0.1 ednsformerr soa > dig.out.test$n || ret=1
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking notimp edns server setup ($n)"
+ret=0
+$DIG $DIGOPTS +edns @10.53.0.9 ednsnotimp soa > dig.out.1.test$n || ret=1
+grep "status: NOTIMP" dig.out.1.test$n > /dev/null || ret=1
+$DIG $DIGOPTS +noedns @10.53.0.9 ednsnotimp soa > dig.out.2.test$n || ret=1
+grep "status: NOERROR" dig.out.2.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking recursive lookup to notimp edns server fails ($n)"
+ret=0
+$DIG $DIGOPTS +tcp @10.53.0.1 ednsnotimp soa > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking refused edns server setup ($n)"
+ret=0
+$DIG $DIGOPTS +edns @10.53.0.10 ednsrefused soa > dig.out.1.test$n || ret=1
+grep "status: REFUSED" dig.out.1.test$n > /dev/null || ret=1
+$DIG $DIGOPTS +noedns @10.53.0.10 ednsrefused soa > dig.out.2.test$n || ret=1
+grep "status: NOERROR" dig.out.2.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking recursive lookup to refused edns server fails ($n)"
+ret=0
+$DIG $DIGOPTS +tcp @10.53.0.1 ednsrefused soa > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
n=`expr $n + 1`
echo_i "checking drop edns server setup ($n)"
ret=0
@@ -34,10 +88,10 @@ if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
-echo_i "checking recursive lookup to drop edns server succeeds ($n)"
+echo_i "checking recursive lookup to drop edns server fails ($n)"
ret=0
-$DIG $DIGOPTS +tcp @10.53.0.1 dropedns soa > dig.out.test$n || ret=1
-grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+$DIG $DIGOPTS +tcp @10.53.0.1 dropedns soa > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
@@ -55,10 +109,10 @@ if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
-echo_i "checking recursive lookup to drop edns + no tcp server succeeds ($n)"
+echo_i "checking recursive lookup to drop edns + no tcp server fails ($n)"
ret=0
-$DIG $DIGOPTS +tcp @10.53.0.1 dropedns-notcp soa > dig.out.test$n || ret=1
-grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+$DIG $DIGOPTS +tcp @10.53.0.1 dropedns-notcp soa > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
@@ -135,10 +189,10 @@ if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
-echo_i "checking recursive lookup to edns 512 + no tcp server succeeds ($n)"
+echo_i "checking recursive lookup to edns 512 + no tcp server fails ($n)"
ret=0
$DIG $DIGOPTS +tcp @10.53.0.1 edns512-notcp soa > dig.out.test$n || ret=1
-grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+grep "status: NOERROR" dig.out.test$n > /dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
diff --git a/bin/tests/system/start.pl b/bin/tests/system/start.pl
index 6380ccb154..dc790bc607 100755
--- a/bin/tests/system/start.pl
+++ b/bin/tests/system/start.pl
@@ -195,14 +195,20 @@ sub start_server {
$command .= "-X named.lock ";
$command .= "-m record,size,mctx ";
$command .= "-T clienttest ";
- $command .= "-T nosoa "
- if (-e "$testdir/$server/named.nosoa");
+ $command .= "-T dropedns "
+ if (-e "$testdir/$server/named.dropedns");
+ $command .= "-T ednsformerr "
+ if (-e "$testdir/$server/named.ednsformerr");
+ $command .= "-T ednsnotimp "
+ if (-e "$testdir/$server/named.ednsnotimp");
+ $command .= "-T ednsrefused "
+ if (-e "$testdir/$server/named.ednsrefused");
$command .= "-T noaa "
if (-e "$testdir/$server/named.noaa");
$command .= "-T noedns "
if (-e "$testdir/$server/named.noedns");
- $command .= "-T dropedns "
- if (-e "$testdir/$server/named.dropedns");
+ $command .= "-T nosoa "
+ if (-e "$testdir/$server/named.nosoa");
$command .= "-T maxudp512 "
if (-e "$testdir/$server/named.maxudp512");
$command .= "-T maxudp1460 "
diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index 4530c0876e..453b7a43bd 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -17139,7 +17139,58 @@ allow-query { !{ !10/8; any; }; key example; };
source of hints and information that can be used to figure out
what went wrong and how to fix the problem.
+
+ EDNS compliance issues
+
+ EDNS (Extended DNS) is a standard that was first specified
+ in 1999. It is required for DNSSEC validation, DNS COOKIE
+ options, and other features. There are broken and outdated
+ DNS servers and firewalls still in use which misbehave when
+ queried with EDNS; for example, they may drop EDNS queries
+ rather than replying with FORMERR. BIND and other recursive
+ name servers have traditionally employed workarounds in this
+ situation, retrying queries in different ways and eventually
+ falling back to plain DNS queries without EDNS.
+
+
+ Such workarounds cause unnecessary resolution delays,
+ increase code complexity, and prevent deployment of new DNS
+ features. As of February 2019, all major DNS software vendors
+ have agreed to remove these workarounds; see
+ https://dnsflagday.net
+ for further details. This change was implemented in BIND
+ as of release 9.14.0.
+
+
+ As a result, some domains may be non-resolvable without manual
+ intervention. In these cases, resolution can be restored by
+ adding server clauses for the offending
+ servers, specifying edns no or
+ send-cookie no, depending on the specific
+ noncompliance.
+
+
+ To determine which server clause to use,
+ run the following commands to send queries to the authoritative
+ servers for the broken domain:
+
+
+ dig soa <zone> @<server> +dnssec
+ dig soa <zone> @<server> +dnssec +nocookie
+ dig soa <zone> @<server> +noedns
+
+
+ If the first command fails but the second succeeds, the
+ server most likely needs send-cookie no.
+ If the first two fail but the third succeeds, then the server
+ needs EDNS to be fully disabled with edns no.
+
+
+ Please contact the administrators of noncompliant domains
+ and encourage them to upgrade their broken DNS servers.
+ Incrementing and Changing the Serial Number
diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml
index f3c4e2017a..f326885798 100644
--- a/doc/arm/notes.xml
+++ b/doc/arm/notes.xml
@@ -156,6 +156,47 @@
Removed Features
+
+
+ Workarounds for servers that misbehave when queried with EDNS
+ have been removed, because these broken servers and the
+ workarounds for their noncompliance cause unnecessary delays,
+ increase code complexity, and prevent deployment of new DNS
+ features. See https://dnsflagday.net
+ for further details.
+
+
+ In particular, resolution will no longer fall back to
+ plain DNS when there was no response from an authoritative
+ server. This will cause some domains to become non-resolvable
+ without manual intervention. In these cases, resolution can
+ be restored by adding server clauses for the
+ offending servers, specifying edns no or
+ send-cookie no, depending on the specific
+ noncompliance.
+
+
+ To determine which server clause to use, run
+ the following commands to send queries to the authoritative
+ servers for the broken domain:
+
+
+ dig soa <zone> @<server> +dnssec
+ dig soa <zone> @<server> +dnssec +nocookie
+ dig soa <zone> @<server> +noedns
+
+
+ If the first command fails but the second succeeds, the
+ server most likely needs send-cookie no.
+ If the first two fail but the third succeeds, then the server
+ needs EDNS to be fully disabled with edns no.
+
+
+ Please contact the administrators of noncompliant domains
+ and encourage them to upgrade their broken DNS servers. [GL #150]
+
+
Previously, it was possible to build BIND without thread support
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index cbc1aa8348..b4aa094630 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -2327,26 +2327,6 @@ issecuredomain(dns_view_t *view, const dns_name_t *name, dns_rdatatype_t type,
return (dns_view_issecuredomain(view, name, now, checknta, issecure));
}
-static bool
-wouldvalidate(fetchctx_t *fctx) {
- bool secure_domain;
- isc_result_t result;
- isc_stdtime_t now;
-
- if (!fctx->res->view->enablevalidation)
- return (false);
-
- if (fctx->res->view->dlv != NULL)
- return (true);
-
- isc_stdtime_get(&now);
- result = dns_view_issecuredomain(fctx->res->view, &fctx->name,
- now, true, &secure_domain);
- if (result != ISC_R_SUCCESS)
- return (false);
- return (secure_domain);
-}
-
static isc_result_t
resquery_send(resquery_t *query) {
fetchctx_t *fctx;
@@ -2514,25 +2494,11 @@ resquery_send(resquery_t *query) {
if ((query->addrinfo->flags & DNS_FETCHOPT_NOEDNS0) != 0)
query->options |= DNS_FETCHOPT_NOEDNS0;
- /* See if response history indicates that EDNS is not supported. */
- if ((query->options & DNS_FETCHOPT_NOEDNS0) == 0 &&
- dns_adb_noedns(fctx->adb, query->addrinfo))
- query->options |= DNS_FETCHOPT_NOEDNS0;
-
if (fctx->timeout && (query->options & DNS_FETCHOPT_NOEDNS0) == 0) {
isc_sockaddr_t *sockaddr = &query->addrinfo->sockaddr;
struct tried *tried;
- if (fctx->timeouts > (MAX_EDNS0_TIMEOUTS * 2) &&
- (!EDNSOK(query->addrinfo) || !wouldvalidate(fctx))) {
- query->options |= DNS_FETCHOPT_NOEDNS0;
- fctx->reason = "disabling EDNS";
- } else if ((tried = triededns512(fctx, sockaddr)) != NULL &&
- tried->count >= 2U &&
- (!EDNSOK(query->addrinfo) || !wouldvalidate(fctx))) {
- query->options |= DNS_FETCHOPT_NOEDNS0;
- fctx->reason = "disabling EDNS";
- } else if ((tried = triededns(fctx, sockaddr)) != NULL) {
+ if ((tried = triededns(fctx, sockaddr)) != NULL) {
if (tried->count == 1U) {
hint = dns_adb_getudpsize(fctx->adb,
query->addrinfo);
@@ -2619,15 +2585,6 @@ resquery_send(resquery_t *query) {
ednsopts[ednsopt].value = NULL;
ednsopt++;
}
-#if DNS_EDNS_VERSION > 0
- /*
- * Some EDNS(0) servers don't ignore unknown options
- * as it was not a explict requirement of RFC 2671.
- * Only send COOKIE to EDNS(1) servers.
- */
- if (version < 1)
- sendcookie = false;
-#endif
if (sendcookie) {
INSIST(ednsopt < DNS_EDNSOPTIONS);
ednsopts[ednsopt].code = DNS_OPT_COOKIE;
@@ -9402,7 +9359,6 @@ rctx_badserver(respctx_t *rctx, isc_result_t result) {
resquery_t *query = rctx->query;
isc_buffer_t b;
char code[64];
- unsigned char cookie[64];
if (fctx->rmessage->rcode == dns_rcode_noerror ||
fctx->rmessage->rcode == dns_rcode_yxdomain ||
@@ -9423,24 +9379,7 @@ rctx_badserver(respctx_t *rctx, isc_result_t result) {
" due to bad server", fctx->info);
fctx->qmin_labels = DNS_MAX_LABELS + 1;
result = rctx_answer_minimized(rctx);
- } else if (!NOCOOKIE(query->addrinfo) &&
- (fctx->rmessage->rcode == dns_rcode_formerr ||
- fctx->rmessage->rcode == dns_rcode_notimp ||
- fctx->rmessage->rcode == dns_rcode_refused) &&
- dns_adb_getcookie(fctx->adb, query->addrinfo,
- cookie, sizeof(cookie)) == 0U)
- {
- /*
- * Some servers do not ignore unknown EDNS options.
- */
- dns_adb_changeflags(fctx->adb, query->addrinfo,
- FCTX_ADDRINFO_NOCOOKIE,
- FCTX_ADDRINFO_NOCOOKIE);
- rctx->resend = true;
- } else if ((fctx->rmessage->rcode == dns_rcode_formerr ||
- fctx->rmessage->rcode == dns_rcode_notimp ||
- (fctx->rmessage->rcode == dns_rcode_servfail &&
- dns_message_getopt(fctx->rmessage) == NULL)) &&
+ } else if ((fctx->rmessage->rcode == dns_rcode_formerr) &&
(rctx->retryopts & DNS_FETCHOPT_NOEDNS0) == 0)
{
/*
@@ -9485,28 +9424,8 @@ rctx_badserver(respctx_t *rctx, isc_result_t result) {
unsigned int version;
#if DNS_EDNS_VERSION > 0
unsigned int flags, mask;
-#else
- bool setnocookie = false;
#endif
- /*
- * Some servers return BADVERS to unknown
- * EDNS options. This cannot be long term
- * strategy. Do not disable COOKIE if we have
- * already have received a COOKIE from this
- * server.
- */
- if (dns_adb_getcookie(fctx->adb, query->addrinfo,
- cookie, sizeof(cookie)) == 0U) {
-#if DNS_EDNS_VERSION <= 0
- if (!NOCOOKIE(query->addrinfo))
- setnocookie = true;
-#endif
- dns_adb_changeflags(fctx->adb, query->addrinfo,
- FCTX_ADDRINFO_NOCOOKIE,
- FCTX_ADDRINFO_NOCOOKIE);
- }
-
INSIST(rctx->opt != NULL);
version = (rctx->opt->ttl >> 16) & 0xff;
#if DNS_EDNS_VERSION > 0
@@ -9544,12 +9463,8 @@ rctx_badserver(respctx_t *rctx, isc_result_t result) {
rctx->next_server = true;
}
#else
- if (version == 0U && setnocookie) {
- rctx->resend = true;
- } else {
- rctx->broken_server = DNS_R_BADVERS;
- rctx->next_server = true;
- }
+ rctx->broken_server = DNS_R_BADVERS;
+ rctx->next_server = true;
#endif
} else if (fctx->rmessage->rcode == dns_rcode_badcookie &&
fctx->rmessage->cc_ok)
diff --git a/lib/ns/client.c b/lib/ns/client.c
index 03975f6640..bcf022e1ee 100644
--- a/lib/ns/client.c
+++ b/lib/ns/client.c
@@ -2534,6 +2534,31 @@ ns__client_request(isc_task_t *task, isc_event_t *event) {
client->ecs.scope = 0;
if (opt != NULL) {
+ /*
+ * Are returning FORMERR to all EDNS queries?
+ * Simulate a STD13 compliant server.
+ */
+ if ((client->sctx->options & NS_SERVER_EDNSFORMERR) != 0) {
+ ns_client_error(client, DNS_R_FORMERR);
+ return;
+ }
+
+ /*
+ * Are returning NOTIMP to all EDNS queries?
+ */
+ if ((client->sctx->options & NS_SERVER_EDNSNOTIMP) != 0) {
+ ns_client_error(client, DNS_R_NOTIMP);
+ return;
+ }
+
+ /*
+ * Are returning REFUSED to all EDNS queries?
+ */
+ if ((client->sctx->options & NS_SERVER_EDNSREFUSED) != 0) {
+ ns_client_error(client, DNS_R_REFUSED);
+ return;
+ }
+
/*
* Are we dropping all EDNS queries?
*/
@@ -2541,6 +2566,7 @@ ns__client_request(isc_task_t *task, isc_event_t *event) {
ns_client_next(client, ISC_R_SUCCESS);
return;
}
+
result = process_opt(client, opt);
if (result != ISC_R_SUCCESS)
return;
diff --git a/lib/ns/include/ns/server.h b/lib/ns/include/ns/server.h
index a5ecf204c9..c4a0f71ecd 100644
--- a/lib/ns/include/ns/server.h
+++ b/lib/ns/include/ns/server.h
@@ -44,6 +44,9 @@
#define NS_SERVER_DISABLE6 0x00000200U /*%< -4 */
#define NS_SERVER_FIXEDLOCAL 0x00000400U /*%< -T fixedlocal */
#define NS_SERVER_SIGVALINSECS 0x00000800U /*%< -T sigvalinsecs */
+#define NS_SERVER_EDNSFORMERR 0x00001000U /*%< -T ednsformerr (STD13) */
+#define NS_SERVER_EDNSNOTIMP 0x00002000U /*%< -T ednsnotimp */
+#define NS_SERVER_EDNSREFUSED 0x00004000U /*%< -T ednsrefused */
/*%
* Type for callback function to get hostname.
diff --git a/util/copyrights b/util/copyrights
index a8c7e77ecb..4b2dfd62d1 100644
--- a/util/copyrights
+++ b/util/copyrights
@@ -1433,6 +1433,9 @@
./bin/tests/system/legacy/ns1/named2.conf.in CONF-C 2014,2016,2018
./bin/tests/system/legacy/ns1/root.db ZONE 2014,2016,2018
./bin/tests/system/legacy/ns1/trusted.conf X 2014,2018
+./bin/tests/system/legacy/ns10/ednsrefused.db ZONE 2018
+./bin/tests/system/legacy/ns10/named.conf.in CONF-C 2018
+./bin/tests/system/legacy/ns10/named.ednsrefused X 2018
./bin/tests/system/legacy/ns2/dropedns.db ZONE 2014,2016,2018
./bin/tests/system/legacy/ns2/named.conf.in CONF-C 2014,2016,2018
./bin/tests/system/legacy/ns2/named.dropedns X 2014,2018
@@ -1458,6 +1461,12 @@
./bin/tests/system/legacy/ns7/named.conf.in CONF-C 2014,2016,2018
./bin/tests/system/legacy/ns7/named.notcp X 2014,2018
./bin/tests/system/legacy/ns7/sign.sh SH 2014,2016,2018
+./bin/tests/system/legacy/ns8/ednsformerr.db ZONE 2018
+./bin/tests/system/legacy/ns8/named.conf.in CONF-C 2018
+./bin/tests/system/legacy/ns8/named.ednsformerr X 2018
+./bin/tests/system/legacy/ns9/ednsnotimp.db ZONE 2018
+./bin/tests/system/legacy/ns9/named.conf.in CONF-C 2018
+./bin/tests/system/legacy/ns9/named.ednsnotimp X 2018
./bin/tests/system/legacy/setup.sh SH 2014,2016,2018
./bin/tests/system/legacy/tests.sh SH 2014,2015,2016,2018
./bin/tests/system/limits/clean.sh SH 2000,2001,2004,2007,2012,2014,2015,2016,2018