RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1640358 - Bind 9.9 is EOL, But in Redhat 7.x no Bind 9.11 or 9.12 available, dig missing criticaly options: cookie, ednsneg not supported
Summary: Bind 9.9 is EOL, But in Redhat 7.x no Bind 9.11 or 9.12 available, dig missin...
Keywords:
Status: CLOSED DUPLICATE of bug 1640561
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: bind
Version: 7.7-Alt
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: rc
: ---
Assignee: Petr Menšík
QA Contact: qe-baseos-daemons
URL:
Whiteboard:
Depends On: bind911_rebase_el7
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-10-17 21:20 UTC by Christian Bretterhofer
Modified: 2019-08-02 10:32 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-08-02 10:32:44 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Christian Bretterhofer 2018-10-17 21:20:20 UTC 
Description of problem:

9.9.13-P1 	End-of-Life (EOL) as of July 2018
9.12.2-P2 	Current-Stable 	Sept 2018 / Release Notes (HTML, PDF), EOL April 2019
9.11.4-P2 	Current-Stable, ESV Sept 2018 / Release Notes (HTML, PDF), EOL Dec 2021

Version-Release number of selected component (if applicable):
scl 
Installed Packages
Name        : bind
Arch        : x86_64
Epoch       : 32
Version     : 9.9.4
Release     : 61.el7
Size        : 4.3 M
Repo        : installed
From repo   : rhel-7-server-rpms
Summary     : The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server
URL         : http://www.isc.org/products/BIND/
License     : ISC


How reproducible:
 Try to use the EDNS Test https://ednscomp.isc.org/ednscomp with dig

Steps to Reproduce:
1.dig +nocookie +norec +noad +edns=1 +noednsneg soa zone @server
2.dig +nocookie +norec +noad +ednsopt=100 soa zone @server
3.dig +nocookie +norec +noad +edns=1 +noednsneg +ednsopt=100 soa zone @server
4.dig +nocookie +norec +noad +ednsflags=0x80 soa zone @server

Actual results:

Option cookie, ednsneg not supported


Expected results:
see https://ednscomp.isc.org/ednscomp

Additional info:

https://tools.ietf.org/html/rfc7871
https://dnsflagday.net/
The current DNS suffers from unnecessary delays and an inability to deploy new features. To remediate these problems, vendors of DNS software BIND (ISC), Knot Resolver (CZ.NIC), PowerDNS, and Unbound (NLnet Labs) are going to remove certain workarounds on February 1st, 2019.

This change affects only sites which operate broken software. Are you affected?
Yes, on Redhat 7.x we cannot even test it.
Comment 2 Christian Bretterhofer 2018-11-09 12:20:31 UTC 
 Christian Bretterhofer 2018-11-09 13:20:20 CET Any Updates?
Comment 3 Petr Menšík 2018-11-14 15:12:39 UTC 
Hi Christian,

I understand current RHEL supported package is missing many useful features. But our customers choose us for stability. I admit it is getting historic somehow. We are considering update, but it is not yet decided.

Anyway, it can be checked in RHEL7. All options are not mandatory AFAIK. It does work to me when I use:

git clone https://gitlab.isc.org/isc-projects/DNS-Compliance-Testing
cd DNS-Compliance-Testing
autoreconf -fis
./configure
make
echo localhost | ./genreport

This works to me also on RHEL 7.

Backporting only selected flags is not planned or being considered.
Comment 4 Christian Bretterhofer 2018-11-15 12:10:23 UTC 
This is just the test (https://gitlab.isc.org/isc-projects/DNS-Compliance-Testing)

The ticket is for bind 9.11.4-P2 in Redhat Softwarecollection
Comment 5 Tomáš Hozza 2018-11-15 16:02:10 UTC 
Thank you for taking the time to report this issue to us. We appreciate the feedback and use reports such as this one to guide our efforts at improving our products. That being said, this bug tracking system is not a mechanism for requesting support, and we are not able to guarantee the timeliness or suitability of a resolution.

If this issue is critical or in any way time sensitive, please raise a ticket through the regular Red Hat support channels to ensure it receives the proper attention and prioritization to assure a timely resolution. 

For information on how to contact the Red Hat production support team, please visit:
    https://www.redhat.com/support/process/production/#howto
Comment 6 Marcel Kolaja 2018-12-13 11:50:11 UTC 
Christian, would BIND 9.11 address your needs? Thanks!
Comment 7 Christian Bretterhofer 2019-01-14 09:05:36 UTC 
GeoIP2 Support will be available only in Bind 9.13/9.12 and sometimes later backported to 9.11
https://gitlab.isc.org/isc-projects/bind9/issues/182

https://www.isc.org/downloads/
 
9.13.5-W1 	Unstable-Development 	Dec 2018 / Release Notes (HTML, PDF)
	
9.12.3-P1 	Current-Stable 	Download Dec 2018 / Release Notes (HTML, PDF) April 2019
9.11.5-P1 	Current-Stable, ESV 	Download Dec 2018 / Release Notes (HTML, PDF)
	Dec 2021
9.10.8-P1 	End-of-Life (EOL) as of July 2018
9.9.13-P1 	End-of-Life (EOL) as of July 2018

So yes we need 9.11 with geoip2
Comment 10 Marcel Kolaja 2019-01-17 15:00:26 UTC 
(In reply to Christian Bretterhofer from comment #7)
> GeoIP2 Support will be available only in Bind 9.13/9.12 and sometimes later
> backported to 9.11
> https://gitlab.isc.org/isc-projects/bind9/issues/182
> 
> https://www.isc.org/downloads/
>  
> 9.13.5-W1 	Unstable-Development 	Dec 2018 / Release Notes (HTML, PDF)
> 	
> 9.12.3-P1 	Current-Stable 	Download Dec 2018 / Release Notes (HTML, PDF)
> April 2019
> 9.11.5-P1 	Current-Stable, ESV 	Download Dec 2018 / Release Notes (HTML, PDF)
> 	Dec 2021
> 9.10.8-P1 	End-of-Life (EOL) as of July 2018
> 9.9.13-P1 	End-of-Life (EOL) as of July 2018
> 
> So yes we need 9.11 with geoip2

GeoIP2 has not been merged upstream yet and we do not have any plans to introduce GeoIP2 support in BIND in RHEL 7.
Comment 11 Matt Gunter 2019-01-21 23:04:35 UTC 
Is anything going to be done to support DNS Flag Day on 2019-02-01?

https://dnsflagday.net/

I'm currently running DNS for organization on a RH EL 7 server with bind 9.9.4 but this says we need BIND 9.13.3 (development) or 9.14.0 (production) to be compliant.
Comment 12 Tomáš Hozza 2019-01-22 09:03:47 UTC 
(In reply to Matt Gunter from comment #11)
> Is anything going to be done to support DNS Flag Day on 2019-02-01?
> 
> https://dnsflagday.net/
> 
> I'm currently running DNS for organization on a RH EL 7 server with bind
> 9.9.4 but this says we need BIND 9.13.3 (development) or 9.14.0 (production)
> to be compliant.

Hello.

There should be no problem with BIND 9.9.4. The dnsflagday is mostly about misconfigured DNS servers not supporting EDNS0 or firewalls and network middle boxes that filter such communication. The versions you mentioned "implement stricter EDNS handling", thus there is higher possibility that you will see some issues with "broken public DNS servers", than with "less strict ENDS handling" in older BIND releases. This is mostly a signal from DNS vendors, that they don't plan to support all those ENDS workarounds in the future.

Nevertheless BIND 9.9.4 supports EDNS and it is enabled by default. Feel free to report any issues you may have through our customer support (https://www.redhat.com/en/services/support), but we don't expect any related to this change.
Comment 13 Yahav 2019-06-25 14:15:39 UTC 
Thomas, i beg to differ.
my organization uses RHEL7 and bind 9.9.4 with the default configuration and fails the EDNS tests:
>domain.com. @255.255.255.255 (dns.domain.com): dns=ok zflag=ok edns=ok edns1=timeout edns@512=ok ednsopt=ok edns1opt=timeout do=ok ednsflags=timeout docookie=ok edns512tcp=ok optlist=ok
Comment 14 Tomáš Hozza 2019-06-25 15:07:50 UTC 
(In reply to Yahav from comment #13)
> Thomas, i beg to differ.
> my organization uses RHEL7 and bind 9.9.4 with the default configuration and
> fails the EDNS tests:
> >domain.com. @255.255.255.255 (dns.domain.com): dns=ok zflag=ok edns=ok edns1=timeout edns@512=ok ednsopt=ok edns1opt=timeout do=ok ednsflags=timeout docookie=ok edns512tcp=ok optlist=ok

This is not enough information to determine where is the issue. This could be also issue with your network infrastructure. Please attach log from the server and ideally also pcap dumps from the client and server while running the test, so that we can have a look. Thanks.
Note You need to log in before you can comment on or make changes to this bug.