DNS-Compliance-Testing issueshttps://gitlab.isc.org/isc-projects/DNS-Compliance-Testing/-/issues2023-07-08T17:39:46Zhttps://gitlab.isc.org/isc-projects/DNS-Compliance-Testing/-/issues/39glibc 2.342023-07-08T17:39:46Zcaseglibc 2.34To quote the release notes from GLIBC 2.34:
* Various symbols previously defined in libresolv have been moved to libc
in order to prepare for libresolv moving entirely into libc (see earlier
entry for merging libraries into libc). ...To quote the release notes from GLIBC 2.34:
* Various symbols previously defined in libresolv have been moved to libc
in order to prepare for libresolv moving entirely into libc (see earlier
entry for merging libraries into libc). The symbols __dn_comp,
__dn_expand, __dn_skipname, __res_dnok, __res_hnok, __res_mailok,
__res_mkquery, __res_nmkquery, __res_nquery, __res_nquerydomain,
__res_nsearch, __res_nsend, __res_ownok, __res_query, __res_querydomain,
__res_search, __res_send formerly in libresolv have been renamed and no
longer have a __ prefix. They are now available in libc.
This impacts this project directly, as it fails to build in reference to three functions:
```shell
> /build/source/genreport.c:3375: undefined reference to `ns_makecanon'
> /nix/store/cimp3vp40msz4afq1c3602p2rn9bff0d-binutils-2.35.2/bin/ld: genreport.o: in function `lookupns':
> /build/source/genreport.c:2296: undefined reference to `ns_makecanon'
> /nix/store/cimp3vp40msz4afq1c3602p2rn9bff0d-binutils-2.35.2/bin/ld: genreport.o: in function `findglue':
> /build/source/genreport.c:3354: undefined reference to `ns_makecanon'
```https://gitlab.isc.org/isc-projects/DNS-Compliance-Testing/-/issues/38Webpage links to Spammy Loan advertisement2020-09-09T00:05:27ZHanno BöckWebpage links to Spammy Loan advertisementThe webpage
https://ednscomp.isc.org/ednscomp/
contains a link to Boutell.com for the CGIC library.
It looks like this was previously the home of that library, but now it's an advertisement for some loans and looks very spammy.
CGIC se...The webpage
https://ednscomp.isc.org/ednscomp/
contains a link to Boutell.com for the CGIC library.
It looks like this was previously the home of that library, but now it's an advertisement for some loans and looks very spammy.
CGIC seems to be maintained on Github now:
https://github.com/boutell/cgic
(Also it seems it no longer comes under its own license terms - the "Basic License" - but under a normal MIT license.)https://gitlab.isc.org/isc-projects/DNS-Compliance-Testing/-/issues/37Please provide test code for DNS Flag Day 2020 (edns512tcp)2020-10-13T21:01:59ZHanno BöckPlease provide test code for DNS Flag Day 2020 (edns512tcp)My understanding from the DNS flag day page is that the edns512tcp test is the relevant thing to look for in terms of testing compatibility with the dns flag day 2020 requirements.
However that test seems to be unpublished. While the ED...My understanding from the DNS flag day page is that the edns512tcp test is the relevant thing to look for in terms of testing compatibility with the dns flag day 2020 requirements.
However that test seems to be unpublished. While the EDNS Compliance Tester page links to this source repo, the code does not contain the edns512tcp test.https://gitlab.isc.org/isc-projects/DNS-Compliance-Testing/-/issues/36Always list all codes at https://ednscomp.isc.org/ednscomp/2019-11-19T01:32:10ZGhost UserAlways list all codes at https://ednscomp.isc.org/ednscomp/The https://ednscomp.isc.org/ednscomp/ evaluation contains section “Codes” and this section contains sometimes “nsid - NSID supported [RFC5001].”, sometimes it says nothing about NSID. Sometimes the section says “subnet - EDNS Client Su...The https://ednscomp.isc.org/ednscomp/ evaluation contains section “Codes” and this section contains sometimes “nsid - NSID supported [RFC5001].”, sometimes it says nothing about NSID. Sometimes the section says “subnet - EDNS Client Subnet supported [RFC7871].” and sometimes it says nothing about subnet. Sometimes it says something about “expire - EDNS EXPIRE supported [RFC7314].” and sometimes it says nothing about expire.
Plesae list all possible codes. When the result is unknown for a code, state “UNKONWN”.https://gitlab.isc.org/isc-projects/DNS-Compliance-Testing/-/issues/35Replace RFC 6966 with RFC 7766 at https://ednscomp.isc.org/ednscomp/2022-12-27T11:59:12ZGhost UserReplace RFC 6966 with RFC 7766 at https://ednscomp.isc.org/ednscomp/https://ednscomp.isc.org/ednscomp/1d4f143106 says
```
EDNS - over TCP Response (edns@512tcp)
dig +vc +nocookie +norec +noad +edns +dnssec +bufsize=512 dnskey zone @server
expect: NOERROR
expect: OPT record with version set to 0
See RFC5...https://ednscomp.isc.org/ednscomp/1d4f143106 says
```
EDNS - over TCP Response (edns@512tcp)
dig +vc +nocookie +norec +noad +edns +dnssec +bufsize=512 dnskey zone @server
expect: NOERROR
expect: OPT record with version set to 0
See RFC5966 and See RFC6891
```
Since RFC5966 is obsoleted by RFC 7766, the latter RFC shall be referenced.https://gitlab.isc.org/isc-projects/DNS-Compliance-Testing/-/issues/34False positives for "EDNS - Unknown Version Handling (edns1)" & "EDNS - Unkno...2019-02-13T15:43:28ZGhost UserFalse positives for "EDNS - Unknown Version Handling (edns1)" & "EDNS - Unknown Version with Unknown Option Handling (edns1opt)" ?Hi,
I tested some powerDNS servers for the DNS flag day.
Some warnings seems to be raised, about the unexpected presence of a SOA in the response, when a bad version/option is requested, for example for the powerdns.net zone :
https...Hi,
I tested some powerDNS servers for the DNS flag day.
Some warnings seems to be raised, about the unexpected presence of a SOA in the response, when a bad version/option is requested, for example for the powerdns.net zone :
https://ednscomp.isc.org/ednscomp/56b28c9733
However, a manual dig shows no SOA being returned :
```
$ dig +norec +noad +edns=1 +noednsneg soa powerdns.net. @79.137.83.215
; <<>> DiG 9.10.3-P4-Debian <<>> +norec +noad +edns=1 +noednsneg soa powerdns.net. @79.137.83.215
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: BADVERS, id: 33660
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1680
;; QUESTION SECTION:
;powerdns.net. IN SOA
;; Query time: 221 msec
;; SERVER: 79.137.83.215#53(79.137.83.215)
;; WHEN: Wed Feb 13 12:03:36 CET 2019
;; MSG SIZE rcvd: 41
```
I was wondering if it could be a bug in the testing tool itself.
Greets to Stephane Bortzmeyer for the idea of performing a manual dig.https://gitlab.isc.org/isc-projects/DNS-Compliance-Testing/-/issues/33EDNS12019-02-06T22:22:08ZGhost UserEDNS1Hello,
Can you please explain what is that EDNS1? I did not find any RFC about it.Hello,
Can you please explain what is that EDNS1? I did not find any RFC about it.https://gitlab.isc.org/isc-projects/DNS-Compliance-Testing/-/issues/32Extend the DNS compliance tester do that it would be useful TLD operators to ...2022-12-27T11:37:16ZMark AndrewsExtend the DNS compliance tester do that it would be useful TLD operators to do staged warnings.Extend the EDNS compliance tester so that it emits a staged warning stream at 120 days, 90 days, 60 days, 30 days, 15 days, 10 days, 5 days then daily for zones with broken servers.
This also needs to detect firewalls that are systemati...Extend the EDNS compliance tester so that it emits a staged warning stream at 120 days, 90 days, 60 days, 30 days, 15 days, 10 days, 5 days then daily for zones with broken servers.
This also needs to detect firewalls that are systematically blocking specific requests from packet loss. There needs to be a multi-day history of firewall detection before emitting the first warning.
It also needs to detect STD 13 (RFC 1034, RFC 1035) servers and not emit warnings if that is the only reason a server is otherwise flagged for EDNS protocol violations.https://gitlab.isc.org/isc-projects/DNS-Compliance-Testing/-/issues/31Please provide an alternative to autoconf2022-12-27T11:10:22ZVicky Riskvicky@isc.orgPlease provide an alternative to autoconfCan you provide a configure script? I got the following questions from someone trying to run this on ... Solaris.
Sorry Mark, I have no idea what I am asking for here.
-------
It only comes with configure.ac so you need autoconf. I’ve...Can you provide a configure script? I got the following questions from someone trying to run this on ... Solaris.
Sorry Mark, I have no idea what I am asking for here.
-------
It only comes with configure.ac so you need autoconf. I’ve seen the list of digs that you run, but if I eyeball them then the results are subject to my interpretation. And it’s the interpretation of the EDNS RFC that’s at the base of our current difficulties…..
-------
Do you have a version of ednscomp that I can run on a lab server that isn’t accessible from the internet? I tried downloading the source for genreport but I seem to need autoconf to generate a configure script….https://gitlab.isc.org/isc-projects/DNS-Compliance-Testing/-/issues/30report containing zone for no NS records if possible2019-01-18T02:29:57ZMark Andrewsreport containing zone for no NS records if possiblehttps://gitlab.isc.org/isc-projects/DNS-Compliance-Testing/-/issues/29Issues with OpenSSL2019-01-21T00:59:58ZGhost UserIssues with OpenSSLI am unable to get the ./configure && make && make install to complete successfully. OpenSSL is on the box, but I am running into this error
./configure: line 4730: syntax error near unexpected token `OPENSSL,'
./configure: line 4730: `...I am unable to get the ./configure && make && make install to complete successfully. OpenSSL is on the box, but I am running into this error
./configure: line 4730: syntax error near unexpected token `OPENSSL,'
./configure: line 4730: ` PKG_CHECK_MODULES(OPENSSL, crypto,'
based on some research I saw that I may need some of these packages:
build-essential libfuse-dev libcurl4-openssl-dev libxml2-dev mime-support automake libtool
Still getting the same error.
Here is the code at that line (with context)
# if pkg-config is installed and openssl has installed a .pc file,
# then use that information and don't search ssldirs
PKG_CHECK_MODULES(OPENSSL, crypto, #This is line 4730#
found=true,
ssldirs="$default_ssldirs")
OS is Ubuntu 18.04 with latest OS updates.https://gitlab.isc.org/isc-projects/DNS-Compliance-Testing/-/issues/28ednscomp web interface: empty answer for softel.cz.2019-01-14T12:17:22ZPetr Špačekpspacek@isc.orgednscomp web interface: empty answer for softel.cz.testing domain `softel.cz.` on ednscomp.isc.org produces an empty page with green `Ok`
That is confusing - could it print an explanatory message in this case?
Thank you!testing domain `softel.cz.` on ednscomp.isc.org produces an empty page with green `Ok`
That is confusing - could it print an explanatory message in this case?
Thank you!https://gitlab.isc.org/isc-projects/DNS-Compliance-Testing/-/issues/27all OK when it should be warning?2022-12-27T13:15:00ZGhost Userall OK when it should be warning?My understanding is that edns1=ok should result in a warning. on some domains the web based tool repeatedly returns 'all ok' even though the dig output shows ok for edns1.
example
https://ednscomp.isc.org/ednscomp/f04f6d9052My understanding is that edns1=ok should result in a warning. on some domains the web based tool repeatedly returns 'all ok' even though the dig output shows ok for edns1.
example
https://ednscomp.isc.org/ednscomp/f04f6d9052https://gitlab.isc.org/isc-projects/DNS-Compliance-Testing/-/issues/26Undefined references in `dotest`2019-01-11T17:43:58ZGhost UserUndefined references in `dotest`On Debian stretch 9.6 I get this error in `make`:
```
make all-am
make[1]: Entering directory '/home/sebastianw/DNS-Compliance-Testing'
CC genreport.o
CCLD genreport
genreport.o: In function `dotest':
/home/sebastianw/DNS-...On Debian stretch 9.6 I get this error in `make`:
```
make all-am
make[1]: Entering directory '/home/sebastianw/DNS-Compliance-Testing'
CC genreport.o
CCLD genreport
genreport.o: In function `dotest':
/home/sebastianw/DNS-Compliance-Testing/genreport.c:1629: undefined reference to `HMAC_CTX_new'
/home/sebastianw/DNS-Compliance-Testing/genreport.c:1632: undefined reference to `EVP_sha256'
/home/sebastianw/DNS-Compliance-Testing/genreport.c:1632: undefined reference to `HMAC_Init_ex'
/home/sebastianw/DNS-Compliance-Testing/genreport.c:1733: undefined reference to `HMAC_CTX_free'
/home/sebastianw/DNS-Compliance-Testing/genreport.c:1634: undefined reference to `HMAC_Update'
/home/sebastianw/DNS-Compliance-Testing/genreport.c:1640: undefined reference to `HMAC_Update'
/home/sebastianw/DNS-Compliance-Testing/genreport.c:1649: undefined reference to `HMAC_Update'
/home/sebastianw/DNS-Compliance-Testing/genreport.c:1663: undefined reference to `HMAC_Update'
/home/sebastianw/DNS-Compliance-Testing/genreport.c:1677: undefined reference to `HMAC_Update'
/home/sebastianw/DNS-Compliance-Testing/genreport.c:1679: undefined reference to `HMAC_Final'
/home/sebastianw/DNS-Compliance-Testing/genreport.c:1687: undefined reference to `HMAC_CTX_free'
genreport.o: In function `process':
/home/sebastianw/DNS-Compliance-Testing/genreport.c:2573: undefined reference to `HMAC_CTX_new'
/home/sebastianw/DNS-Compliance-Testing/genreport.c:2577: undefined reference to `EVP_sha256'
/home/sebastianw/DNS-Compliance-Testing/genreport.c:2577: undefined reference to `HMAC_Init_ex'
/home/sebastianw/DNS-Compliance-Testing/genreport.c:2583: undefined reference to `HMAC_Update'
/home/sebastianw/DNS-Compliance-Testing/genreport.c:2586: undefined reference to `HMAC_Update'
/home/sebastianw/DNS-Compliance-Testing/genreport.c:2592: undefined reference to `HMAC_Update'
/home/sebastianw/DNS-Compliance-Testing/genreport.c:2597: undefined reference to `HMAC_Update'
/home/sebastianw/DNS-Compliance-Testing/genreport.c:2602: undefined reference to `HMAC_Update'
genreport.o:/home/sebastianw/DNS-Compliance-Testing/genreport.c:2606: more undefined references to `HMAC_Update' follow
genreport.o: In function `process':
/home/sebastianw/DNS-Compliance-Testing/genreport.c:2620: undefined reference to `HMAC_Final'
/home/sebastianw/DNS-Compliance-Testing/genreport.c:2622: undefined reference to `HMAC_CTX_free'
/home/sebastianw/DNS-Compliance-Testing/genreport.c:2846: undefined reference to `HMAC_CTX_free'
collect2: error: ld returned 1 exit status
Makefile:382: recipe for target 'genreport' failed
make[1]: *** [genreport] Error 1
make[1]: Leaving directory '/home/sebastianw/DNS-Compliance-Testing'
Makefile:286: recipe for target 'all' failed
make: *** [all] Error 2
```
The executables are built fine however. Maybe a missing `-lssl` or `-lcrypto` somewhere?https://gitlab.isc.org/isc-projects/DNS-Compliance-Testing/-/issues/25DNS-Flag-day fail condition(s) is not clearly explained2019-01-10T07:42:02ZGhost UserDNS-Flag-day fail condition(s) is not clearly explainedThe website states that you 'must not have timeout result in any of plain DNS and EDNS version 0 test' and in the DNS Administrators part, however in the DNS software developers part is states 'This effectivelly means that all DNS server...The website states that you 'must not have timeout result in any of plain DNS and EDNS version 0 test' and in the DNS Administrators part, however in the DNS software developers part is states 'This effectivelly means that all DNS servers which do not respond at all to EDNS queries are going to be treated as dead'
Should the part for owners not be more elaborate stating the same issue combining if ALL nameservers report suchs errors and the tool only reports a FAIL if this is the case. In same events the tool reports a zone error, simply because a zone with 3 NS (dual stacked) has a only 1 nameserver with broken IPv6 will be considered broken.
So the test should say FAIL if _all_ nameservers are really broken, or report FAIL_UNDER_CONDITIONS saying it might work now, but failure of on or more nameserver will not provide the redundancy as expected.
For more less experienced users of the tool it might be prudent to explicitly show which tests are EDNS version 0 and which are not.https://gitlab.isc.org/isc-projects/DNS-Compliance-Testing/-/issues/24Invalid JSON produced under certain options2019-01-10T12:46:48ZGhost UserInvalid JSON produced under certain optionsIn several cases, but for example with -j (json output) -E (EDNS only) the output is an invalid JSON document. The problem lies in the array of tests and the splitting of its values. Looking at the text output its error is tests:
{ , d...In several cases, but for example with -j (json output) -E (EDNS only) the output is an invalid JSON document. The problem lies in the array of tests and the splitting of its values. Looking at the text output its error is tests:
{ , dns:ok edns:ok ....
So because its limited tests it leaves a first , in the tests output. Removing this single character fixes the broken JSON. please restructure the building of the JSON output and validate the JSON when outputting to prevent these errorshttps://gitlab.isc.org/isc-projects/DNS-Compliance-Testing/-/issues/22No manual page is generated2023-07-08T17:34:50ZPetr MenšíkNo manual page is generatedIs there any way to generate manual page for genreport tool?
I spent some time on it, I found [ronn](https://github.com/rtomayko/ronn) can be used to generate nice enough manual page, but basic structure of current markdown has to be ch...Is there any way to generate manual page for genreport tool?
I spent some time on it, I found [ronn](https://github.com/rtomayko/ronn) can be used to generate nice enough manual page, but basic structure of current markdown has to be changed.
Then this command would produce good enough manual page:
ronn --roff --pipe --manual="genreport(1)" --organization="Internet Systems Consortium" genreport.md
I think format of markdown html generated page is still very similar.
Is any other tool known to produce usable manual page?
[0001-Modify-a-bit-documentation-template.patch](/uploads/f16e8b3da17566410590a0b89c72d6cc/0001-Modify-a-bit-documentation-template.patch)https://gitlab.isc.org/isc-projects/DNS-Compliance-Testing/-/issues/21Deprecated _BSD_SOURCE2018-12-26T22:19:21ZPetr MenšíkDeprecated _BSD_SOURCEWhen compiled on RHEL7 or Fedora 27, genreport generates warning
```
CC genreport.o
In file included from /usr/include/bits/libc-header-start.h:33:0,
from /usr/include/stdio.h:27,
from genreport...When compiled on RHEL7 or Fedora 27, genreport generates warning
```
CC genreport.o
In file included from /usr/include/bits/libc-header-start.h:33:0,
from /usr/include/stdio.h:27,
from genreport.c:17:
/usr/include/features.h:183:3: warning: #warning "_BSD_SOURCE and _SVID_SOURCE are deprecated, use _DEFAULT_SOURCE" [-Wcpp]
# warning "_BSD_SOURCE and _SVID_SOURCE are deprecated, use _DEFAULT_SOURCE"
^~~~~~~
CCLD genreport
```
Proposed fix is to add _DEFAULT_SOURCE define as well before includes.
[0001-Fix-deprecated-_BSD_SOURCE-warning.patch](/uploads/91f297b095e07e9d4234af0ee8a1a50c/0001-Fix-deprecated-_BSD_SOURCE-warning.patch)https://gitlab.isc.org/isc-projects/DNS-Compliance-Testing/-/issues/19Using Latest Redhat 7.X ships still with BIND 9.9.4-RedHat-9.9.4-61.el7_5.12019-02-06T03:31:14ZGhost UserUsing Latest Redhat 7.X ships still with BIND 9.9.4-RedHat-9.9.4-61.el7_5.1```
[root@xxx]# named -V
BIND 9.9.4-RedHat-9.9.4-61.el7_5.1 (Extended Support Version) <id:8f9657aa> built with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--disable-dependency-tracking' '--pr...```
[root@xxx]# named -V
BIND 9.9.4-RedHat-9.9.4-61.el7_5.1 (Extended Support Version) <id:8f9657aa> built with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-libtool' '--localstatedir=/var' '--enable-threads' '--with-geoip' '--enable-ipv6' '--enable-filter-aaaa' '--enable-rrl' '--with-pic' '--disable-static' '--disable-openssl-version-check' '--enable-exportlib' '--with-export-libdir=/usr/lib64' '--with-export-includedir=/usr/include' '--includedir=/usr/include/bind9' '--enable-native-pkcs11' '--with-pkcs11=/usr/lib64/pkcs11/libsofthsm2.so' '--with-dlopen=yes' '--with-dlz-ldap=yes' '--with-dlz-postgres=yes' '--with-dlz-mysql=yes' '--with-dlz-filesystem=yes' '--with-dlz-bdb=yes' '--with-gssapi=yes' '--disable-isc-spnego' '--enable-fixed-rrset' '--with-tuning=large' '--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic' 'LDFLAGS=-Wl,-z,relro ' 'CPPFLAGS= -DDIG_SIGCHASE'
using OpenSSL version: OpenSSL 1.0.2k 26 Jan 2017
using libxml2 version: 2.9.1
dig -v
DiG 9.9.4-RedHat-9.9.4-61.el7_5.1
dig -h
Usage: dig [@global-server] [domain] [q-type] [q-class] {q-opt}
{global-d-opt} host [@local-server] {local-d-opt}
[ host [@local-server] {local-d-opt} [...]]
Where: domain is in the Domain Name System
q-class is one of (in,hs,ch,...) [default: in]
q-type is one of (a,any,mx,ns,soa,hinfo,axfr,txt,...) [default:a]
(Use ixfr=version for type ixfr)
q-opt is one of:
-x dot-notation (shortcut for reverse lookups)
-i (use IP6.INT for IPv6 reverse lookups)
-f filename (batch mode)
-b address[#port] (bind to source address/port)
-p port (specify port number)
-q name (specify query name)
-t type (specify query type)
-c class (specify query class)
-k keyfile (specify tsig key file)
-y [hmac:]name:key (specify named base64 tsig key)
-4 (use IPv4 query transport only)
-6 (use IPv6 query transport only)
-m (enable memory usage debugging)
d-opt is of the form +keyword[=value], where keyword is:
+[no]vc (TCP mode)
+[no]tcp (TCP mode, alternate syntax)
+time=### (Set query timeout) [5]
+tries=### (Set number of UDP attempts) [3]
+retry=### (Set number of UDP retries) [2]
+domain=### (Set default domainname)
+bufsize=### (Set EDNS0 Max UDP packet size)
+ndots=### (Set NDOTS value)
+[no]edns[=###] (Set EDNS version) [0]
+[no]search (Set whether to use searchlist)
+[no]showsearch (Search with intermediate results)
+[no]defname (Ditto)
+[no]recurse (Recursive mode)
+[no]ignore (Don't revert to TCP for TC responses.)
+[no]fail (Don't try next server on SERVFAIL)
+[no]besteffort (Try to parse even illegal messages)
+[no]aaonly (Set AA flag in query (+[no]aaflag))
+[no]adflag (Set AD flag in query)
+[no]cdflag (Set CD flag in query)
+[no]cl (Control display of class in records)
+[no]cmd (Control display of command line)
+[no]comments (Control display of comment lines)
+[no]rrcomments (Control display of per-record comments)
+[no]question (Control display of question)
+[no]answer (Control display of answer)
+[no]authority (Control display of authority)
+[no]additional (Control display of additional)
+[no]stats (Control display of statistics)
+[no]short (Disable everything except short
form of answer)
+[no]ttlid (Control display of ttls in records)
+[no]all (Set or clear all display flags)
+[no]qr (Print question before sending)
+[no]nssearch (Search all authoritative nameservers)
+[no]identify (ID responders in short answers)
+[no]trace (Trace delegation down from root [+dnssec])
+[no]dnssec (Request DNSSEC records)
+[no]nsid (Request Name Server ID)
+[no]sigchase (Chase DNSSEC signatures)
+trusted-key=#### (Trusted Key when chasing DNSSEC sigs)
+[no]topdown (Do DNSSEC validation top down mode)
+[no]split=## (Split hex/base64 fields into chunks)
+[no]multiline (Print records in an expanded format)
+[no]onesoa (AXFR prints only one soa record)
global d-opts and servers (before host name) affect all queries.
local d-opts and servers (after host name) affect only that lookup.
-h (print help and exit)
-v (print version and exit)
So i filed a bug to https://bugzilla.redhat.com/show_bug.cgi?id=1640358
```
Description of problem:
```
9.9.13-P1 End-of-Life (EOL) as of July 2018
9.12.2-P2 Current-Stable Sept 2018 / Release Notes (HTML, PDF), EOL April 2019
9.11.4-P2 Current-Stable, ESV Sept 2018 / Release Notes (HTML, PDF), EOL Dec 2021
Version-Release number of selected component (if applicable):
scl
Installed Packages
Name : bind
Arch : x86_64
Epoch : 32
Version : 9.9.4
Release : 61.el7
Size : 4.3 M
Repo : installed
From repo : rhel-7-server-rpms
Summary : The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server
URL : http://www.isc.org/products/BIND/
License : ISC
```
How reproducible:
Try to use the EDNS Test https://ednscomp.isc.org/ednscomp with dig
Steps to Reproduce:
```
1.dig +nocookie +norec +noad +edns=1 +noednsneg soa zone @server
2.dig +nocookie +norec +noad +ednsopt=100 soa zone @server
3.dig +nocookie +norec +noad +edns=1 +noednsneg +ednsopt=100 soa zone @server
4.dig +nocookie +norec +noad +ednsflags=0x80 soa zone @server
```
Actual results:
Option cookie, ednsneg not supported
Expected results:
see https://ednscomp.isc.org/ednscomp
Additional info:
```
https://tools.ietf.org/html/rfc7871
https://dnsflagday.net/
The current DNS suffers from unnecessary delays and an inability to deploy new features. To remediate these problems, vendors of DNS software BIND (ISC), Knot Resolver (CZ.NIC), PowerDNS, and Unbound (NLnet Labs) are going to remove certain workarounds on February 1st, 2019.
This change affects only sites which operate broken software. Are you affected?
Yes, on Redhat 7.x we cannot even test it.
```https://gitlab.isc.org/isc-projects/DNS-Compliance-Testing/-/issues/18Add support for matching glue to nameservers.2018-10-17T17:41:45ZMark AndrewsAdd support for matching glue to nameservers.