The rollernet DNS servers are giving incorrect behavior as reported by the ISC EDNS tester. Here are the results for my rollernet DNS hosted domain:
https://ednscomp.isc.org/ednscomp/b1b6b0691a
I'm concerned that this issue will be particularly problematic following the February 1, 2019 DNS Flag Day: https://dnsflagday.net/
Thanks again!
EDNS Compliance Issues
Moderator: Moderators
Re: EDNS Compliance Issues
I received a notification from my registrant last week (to upsell their DNS) and upon checking found the same as @candrews (no relation)!
All of my Rolletnet domains have the same non-compliance e.g. https://ednscomp.isc.org/ednscomp/0c2ccf16d4
though of the domains I migrated for a client to Dreamhost also has EDNS failures.
My ISP doesn't, nor does Google.
All of my Rolletnet domains have the same non-compliance e.g. https://ednscomp.isc.org/ednscomp/0c2ccf16d4
though of the domains I migrated for a client to Dreamhost also has EDNS failures.
My ISP doesn't, nor does Google.
Re: EDNS Compliance Issues
Our servers do support EDNS properly (no firewall inspection, no TCP blocking), but appear to fail the ednscomp test because of how it performs the tests.
The bug is noted here:
https://github.com/PowerDNS/pdns/issues/6806
The bug is noted here:
https://github.com/PowerDNS/pdns/issues/6806
Seth Mattinen, Roller Network LLC
Re: EDNS Compliance Issues
We do of course plan to continue upgrading PowerDNS, but we are doing so in incremental steps without making large version jumps because we need to make sure DNSSEC enabled zones don't break in the process. It's more critical to us to continue serving zones uninterrupted. When we perform an upgrade we let it bake for a while before looking at the next one. Because we decided to release DNSSEC support in Primary DNS before there was an API available, we had to resort to command line parsing to perform the DNSSEC functions used in the ACC. Making large jumps will break this, and we don't want to have to tell people the workaround is to turn off DNSSEC when we want to encourage DNSSEC to be used.
The problems that DNS Flag Day seeks to address are very old DNS implementations out there that don't support EDNS at all, or have TCP port 53 blocked, or have a firewall "inspecting" and altering DNS packets. These are the ones that will likely stop working when resolvers remove workarounds.
One thing you can do is run http://dnsviz.net against a zone with DNSSEC enabled and see that EDNS does indeed work when handling real queries that need EDNS or possibly TCP transport.
The problems that DNS Flag Day seeks to address are very old DNS implementations out there that don't support EDNS at all, or have TCP port 53 blocked, or have a firewall "inspecting" and altering DNS packets. These are the ones that will likely stop working when resolvers remove workarounds.
One thing you can do is run http://dnsviz.net against a zone with DNSSEC enabled and see that EDNS does indeed work when handling real queries that need EDNS or possibly TCP transport.
Seth Mattinen, Roller Network LLC