From owner-freebsd-questions@freebsd.org Mon Jan 21 12:47:22 2019 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3CFBE14A88D1 for ; Mon, 21 Jan 2019 12:47:22 +0000 (UTC) (envelope-from matthew@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id CD0D687684 for ; Mon, 21 Jan 2019 12:47:21 +0000 (UTC) (envelope-from matthew@FreeBSD.org) Received: from smtp.infracaninophile.co.uk (smtp.infracaninophile.co.uk [IPv6:2001:8b0:151:1:c4ea:bd49:619b:6cb3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smtp.infracaninophile.co.uk", Issuer "Let's Encrypt Authority X3" (verified OK)) (Authenticated sender: matthew/mail) by smtp.freebsd.org (Postfix) with ESMTPSA id 8F8C71F9F3 for ; Mon, 21 Jan 2019 12:47:21 +0000 (UTC) (envelope-from matthew@FreeBSD.org) Received: from leaf.local (unknown [88.202.132.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: m.seaman@infracaninophile.co.uk) by smtp.infracaninophile.co.uk (Postfix) with ESMTPSA id 49E7717B36 for ; Mon, 21 Jan 2019 12:47:18 +0000 (UTC) Authentication-Results: smtp.infracaninophile.co.uk/49E7717B36; dkim=none; dkim-atps=neutral Subject: Re: DNS Flag Day To: freebsd-questions@freebsd.org References: <5522b94d-4529-e10e-db65-20a1c172d46a@radel.com> <157de54f-bf15-06ba-d47f-923dce0a716c@netfence.it> From: Matthew Seaman Message-ID: Date: Mon, 21 Jan 2019 12:47:16 +0000 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:60.0) Gecko/20100101 Thunderbird/60.4.0 MIME-Version: 1.0 In-Reply-To: <157de54f-bf15-06ba-d47f-923dce0a716c@netfence.it> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-GB Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: CD0D687684 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.97 / 15.00]; local_wl_from(0.00)[FreeBSD.org]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; NEURAL_HAM_SHORT(-0.97)[-0.970,0]; ASN(0.00)[asn:11403, ipnet:96.47.64.0/20, country:US] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Jan 2019 12:47:22 -0000 On 21/01/2019 08:02, Andrea Venturoli wrote: > Sorry to step in. > What about authoritative servers for private zones? > > I.e. Are those who are serving local.xxxxx.xx to their LAN affected? You can only be affected by your local nameservers not having correct EDNS0 support by upgrading to one of the nameserver packages due to be released on or after that day, which will take a much harder line on incorrect ENDS0-related responses. Since you presumably control both client and server sides of your local setup, then all you need to do is ensure that you upgrade all your clients and server software in a fairly short timeframe, or else leave all well alone. You can grab ISC's ednscomp testing code from GitHub if you want to run it against your private internal nameservers: https://gitlab.isc.org/isc-projects/DNS-Compliance-Testing or you can look at the queries the ednscomp site runs and just run them by hand using dig(1) -- see eg. this page: https://ednscomp.isc.org/compliance/summary.html Cheers, Matthew