Bug 1640358
| Summary: | Bind 9.9 is EOL, But in Redhat 7.x no Bind 9.11 or 9.12 available, dig missing criticaly options: cookie, ednsneg not supported | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Christian Bretterhofer <christian.bretterhofer> |
| Component: | bind | Assignee: | Petr Menšík <pemensik> |
| Status: | CLOSED DUPLICATE | QA Contact: | qe-baseos-daemons |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 7.7-Alt | CC: | christian.bretterhofer, matt, mkolaja, pemensik, thozza, yahavsh |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-08-02 10:32:44 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1640561 | ||
| Bug Blocks: | |||
|
Description
Christian Bretterhofer
2018-10-17 21:20:20 UTC
Christian Bretterhofer 2018-11-09 13:20:20 CET Any Updates? Hi Christian, I understand current RHEL supported package is missing many useful features. But our customers choose us for stability. I admit it is getting historic somehow. We are considering update, but it is not yet decided. Anyway, it can be checked in RHEL7. All options are not mandatory AFAIK. It does work to me when I use: git clone https://gitlab.isc.org/isc-projects/DNS-Compliance-Testing cd DNS-Compliance-Testing autoreconf -fis ./configure make echo localhost | ./genreport This works to me also on RHEL 7. Backporting only selected flags is not planned or being considered. This is just the test (https://gitlab.isc.org/isc-projects/DNS-Compliance-Testing) The ticket is for bind 9.11.4-P2 in Redhat Softwarecollection Thank you for taking the time to report this issue to us. We appreciate the feedback and use reports such as this one to guide our efforts at improving our products. That being said, this bug tracking system is not a mechanism for requesting support, and we are not able to guarantee the timeliness or suitability of a resolution.
If this issue is critical or in any way time sensitive, please raise a ticket through the regular Red Hat support channels to ensure it receives the proper attention and prioritization to assure a timely resolution.
For information on how to contact the Red Hat production support team, please visit:
https://www.redhat.com/support/process/production/#howto
Christian, would BIND 9.11 address your needs? Thanks! GeoIP2 Support will be available only in Bind 9.13/9.12 and sometimes later backported to 9.11 https://gitlab.isc.org/isc-projects/bind9/issues/182 https://www.isc.org/downloads/ 9.13.5-W1 Unstable-Development Dec 2018 / Release Notes (HTML, PDF) 9.12.3-P1 Current-Stable Download Dec 2018 / Release Notes (HTML, PDF) April 2019 9.11.5-P1 Current-Stable, ESV Download Dec 2018 / Release Notes (HTML, PDF) Dec 2021 9.10.8-P1 End-of-Life (EOL) as of July 2018 9.9.13-P1 End-of-Life (EOL) as of July 2018 So yes we need 9.11 with geoip2 (In reply to Christian Bretterhofer from comment #7) > GeoIP2 Support will be available only in Bind 9.13/9.12 and sometimes later > backported to 9.11 > https://gitlab.isc.org/isc-projects/bind9/issues/182 > > https://www.isc.org/downloads/ > > 9.13.5-W1 Unstable-Development Dec 2018 / Release Notes (HTML, PDF) > > 9.12.3-P1 Current-Stable Download Dec 2018 / Release Notes (HTML, PDF) > April 2019 > 9.11.5-P1 Current-Stable, ESV Download Dec 2018 / Release Notes (HTML, PDF) > Dec 2021 > 9.10.8-P1 End-of-Life (EOL) as of July 2018 > 9.9.13-P1 End-of-Life (EOL) as of July 2018 > > So yes we need 9.11 with geoip2 GeoIP2 has not been merged upstream yet and we do not have any plans to introduce GeoIP2 support in BIND in RHEL 7. Is anything going to be done to support DNS Flag Day on 2019-02-01? https://dnsflagday.net/ I'm currently running DNS for organization on a RH EL 7 server with bind 9.9.4 but this says we need BIND 9.13.3 (development) or 9.14.0 (production) to be compliant. (In reply to Matt Gunter from comment #11) > Is anything going to be done to support DNS Flag Day on 2019-02-01? > > https://dnsflagday.net/ > > I'm currently running DNS for organization on a RH EL 7 server with bind > 9.9.4 but this says we need BIND 9.13.3 (development) or 9.14.0 (production) > to be compliant. Hello. There should be no problem with BIND 9.9.4. The dnsflagday is mostly about misconfigured DNS servers not supporting EDNS0 or firewalls and network middle boxes that filter such communication. The versions you mentioned "implement stricter EDNS handling", thus there is higher possibility that you will see some issues with "broken public DNS servers", than with "less strict ENDS handling" in older BIND releases. This is mostly a signal from DNS vendors, that they don't plan to support all those ENDS workarounds in the future. Nevertheless BIND 9.9.4 supports EDNS and it is enabled by default. Feel free to report any issues you may have through our customer support (https://www.redhat.com/en/services/support), but we don't expect any related to this change. Thomas, i beg to differ.
my organization uses RHEL7 and bind 9.9.4 with the default configuration and fails the EDNS tests:
>domain.com. @255.255.255.255 (dns.domain.com): dns=ok zflag=ok edns=ok edns1=timeout edns@512=ok ednsopt=ok edns1opt=timeout do=ok ednsflags=timeout docookie=ok edns512tcp=ok optlist=ok
(In reply to Yahav from comment #13) > Thomas, i beg to differ. > my organization uses RHEL7 and bind 9.9.4 with the default configuration and > fails the EDNS tests: > >domain.com. @255.255.255.255 (dns.domain.com): dns=ok zflag=ok edns=ok edns1=timeout edns@512=ok ednsopt=ok edns1opt=timeout do=ok ednsflags=timeout docookie=ok edns512tcp=ok optlist=ok This is not enough information to determine where is the issue. This could be also issue with your network infrastructure. Please attach log from the server and ideally also pcap dumps from the client and server while running the test, so that we can have a look. Thanks. |