On Thu, Jan 31, 2019 at 10:33 AM James Stahr <stahr@mailbag.com> wrote: [snip]
So is the tool right in saying that TCP/53 is a absolute requirement of ENDS0 support for "DNS Flag Day"? If so, do we expect a dramatic increases in TCP/53 requests over UDP/53 queries? Or is the tool flawed [snip]
Their test tool will obviously alert on more error conditions than what the Flag Day is specifically about -- One or more of your DNS servers not responding [OR] TCP/53 not working are still broken configurations, But the brokenness is unrelated to what the flag day is about - In the first case, better safe than sorry, I suppose: Inability to complete one or more of the tests because of brokenness definitely means that things are broken. TCP/53 is a fairly strong requirement, except if you are supporting an authoritative-only server with no record labels that could result in a >512byte response, plus no DNSSEC-secured zones, and even then the AXFR protocol for replication to secondary servers calls for TCP. EDNS support is not required. Authoritative servers that don't support EDNS and are also compliant with the original DNS standard continue to work after the workarounds are removed. The relevant standard does not allow for silently ignoring requests that contain the EDNS option; patching the bug in a broken server does not necessarily entail the larger task of adding EDNS support -- achieving consistence compliance with either the DNS standard before EDNS, or the DNS standard after EDNS, is the requirement. There are two ways for a DNS server to relay the DNS responses larger than 512 bytes.... 1. The server replies with a truncated message with the truncate bit set, and the client connects to you over TCP to make the DNS request, OR The client provided the EDNS option with a larger packet size, and you support that, so you send a large UDP reply instead. A DNS server must support the first of these methods (The second is preferable but optional, and support for the first method over TCP is mandatory) if you could ever be required to handle a DNS message whose reply is larger than 512 bytes: All recursive resolvers fall into this category, and with DNSSEC + IPv6, many common queries will result in an answer longer than the original 512 byte limit of UDP. -- -JH