+5029. [func] Workarounds for servers that misbehave when queried
+ with EDNS have been removed, because these broken
+ servers and the workarounds for their noncompliance
+ cause unnecessary delays, increase code complexity,
+ and prevent deployment of new DNS features. See
+ https://dnsflagday.net for further details. [GL #150]
+
5028. [bug] Spread the initial RRSIG expiration times over the
entire working sig-validity-interval when signing a
zone in named to even out re-signing and transfer
source of hints and information that can be used to figure out
what went wrong and how to fix the problem.
</para>
+ </section>
+ <section><info><title>EDNS compliance issues</title></info>
+ <para>
+ EDNS (Extended DNS) is a standard that was first specified
+ in 1999. It is required for DNSSEC validation, DNS COOKIE
+ options, and other features. There are broken and outdated
+ DNS servers and firewalls still in use which misbehave when
+ queried with EDNS; for example, they may drop EDNS queries
+ rather than replying with FORMERR. BIND and other recursive
+ name servers have traditionally employed workarounds in this
+ situation, retrying queries in different ways and eventually
+ falling back to plain DNS queries without EDNS.
+ </para>
+ <para>
+ Such workarounds cause unnecessary resolution delays,
+ increase code complexity, and prevent deployment of new DNS
+ features. As of February 2019, all major DNS software vendors
+ have agreed to remove these workarounds; see
+ <link xmlns:xlink="http://www.w3.org/1999/xlink"
+ xlink:href="https://dnsflagday.net">https://dnsflagday.net</link>
+ for further details. This change was implemented in BIND
+ as of release 9.14.0.
+ </para>
+ <para>
+ As a result, some domains may be non-resolvable without manual
+ intervention. In these cases, resolution can be restored by
+ adding <command>server</command> clauses for the offending
+ servers, specifying <command>edns no</command> or
+ <command>send-cookie no</command>, depending on the specific
+ noncompliance.
+ </para>
+ <para>
+ To determine which <command>server</command> clause to use,
+ run the following commands to send queries to the authoritative
+ servers for the broken domain:
+ </para>
+ <literallayout>
+ dig soa <zone> @<server> +dnssec
+ dig soa <zone> @<server> +dnssec +nocookie
+ dig soa <zone> @<server> +noedns
+ </literallayout>
+ <para>
+ If the first command fails but the second succeeds, the
+ server most likely needs <command>send-cookie no</command>.
+ If the first two fail but the third succeeds, then the server
+ needs EDNS to be fully disabled with <command>edns no</command>.
+ </para>
+ <para>
+ Please contact the administrators of noncompliant domains
+ and encourage them to upgrade their broken DNS servers.
+ </para>
</section>
</section>
<section><info><title>Incrementing and Changing the Serial Number</title></info>
<section xml:id="relnotes_removed"><info><title>Removed Features</title></info>
<itemizedlist>
+ <listitem>
+ <para>
+ Workarounds for servers that misbehave when queried with EDNS
+ have been removed, because these broken servers and the
+ workarounds for their noncompliance cause unnecessary delays,
+ increase code complexity, and prevent deployment of new DNS
+ features. See <link xmlns:xlink="http://www.w3.org/1999/xlink"
+ xlink:href="https://dnsflagday.net">https://dnsflagday.net</link>
+ for further details.
+ </para>
+ <para>
+ In particular, resolution will no longer fall back to
+ plain DNS when there was no response from an authoritative
+ server. This will cause some domains to become non-resolvable
+ without manual intervention. In these cases, resolution can
+ be restored by adding <command>server</command> clauses for the
+ offending servers, specifying <command>edns no</command> or
+ <command>send-cookie no</command>, depending on the specific
+ noncompliance.
+ </para>
+ <para>
+ To determine which <command>server</command> clause to use, run
+ the following commands to send queries to the authoritative
+ servers for the broken domain:
+ </para>
+<literallayout>
+ dig soa <zone> @<server> +dnssec
+ dig soa <zone> @<server> +dnssec +nocookie
+ dig soa <zone> @<server> +noedns
+</literallayout>
+ <para>
+ If the first command fails but the second succeeds, the
+ server most likely needs <command>send-cookie no</command>.
+ If the first two fail but the third succeeds, then the server
+ needs EDNS to be fully disabled with <command>edns no</command>.
+ </para>
+ <para>
+ Please contact the administrators of noncompliant domains
+ and encourage them to upgrade their broken DNS servers. [GL #150]
+ </para>
+ </listitem>
<listitem>
<para>
Previously, it was possible to build BIND without thread support