Using Latest Redhat 7.X ships still with BIND 9.9.4-RedHat-9.9.4-61.el7_5.1
[root@xxx]# named -V
BIND 9.9.4-RedHat-9.9.4-61.el7_5.1 (Extended Support Version) <id:8f9657aa> built with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-libtool' '--localstatedir=/var' '--enable-threads' '--with-geoip' '--enable-ipv6' '--enable-filter-aaaa' '--enable-rrl' '--with-pic' '--disable-static' '--disable-openssl-version-check' '--enable-exportlib' '--with-export-libdir=/usr/lib64' '--with-export-includedir=/usr/include' '--includedir=/usr/include/bind9' '--enable-native-pkcs11' '--with-pkcs11=/usr/lib64/pkcs11/libsofthsm2.so' '--with-dlopen=yes' '--with-dlz-ldap=yes' '--with-dlz-postgres=yes' '--with-dlz-mysql=yes' '--with-dlz-filesystem=yes' '--with-dlz-bdb=yes' '--with-gssapi=yes' '--disable-isc-spnego' '--enable-fixed-rrset' '--with-tuning=large' '--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic' 'LDFLAGS=-Wl,-z,relro ' 'CPPFLAGS= -DDIG_SIGCHASE'
using OpenSSL version: OpenSSL 1.0.2k 26 Jan 2017
using libxml2 version: 2.9.1
dig -v
DiG 9.9.4-RedHat-9.9.4-61.el7_5.1
dig -h
Usage: dig [@global-server] [domain] [q-type] [q-class] {q-opt}
{global-d-opt} host [@local-server] {local-d-opt}
[ host [@local-server] {local-d-opt} [...]]
Where: domain is in the Domain Name System
q-class is one of (in,hs,ch,...) [default: in]
q-type is one of (a,any,mx,ns,soa,hinfo,axfr,txt,...) [default:a]
(Use ixfr=version for type ixfr)
q-opt is one of:
-x dot-notation (shortcut for reverse lookups)
-i (use IP6.INT for IPv6 reverse lookups)
-f filename (batch mode)
-b address[#port] (bind to source address/port)
-p port (specify port number)
-q name (specify query name)
-t type (specify query type)
-c class (specify query class)
-k keyfile (specify tsig key file)
-y [hmac:]name:key (specify named base64 tsig key)
-4 (use IPv4 query transport only)
-6 (use IPv6 query transport only)
-m (enable memory usage debugging)
d-opt is of the form +keyword[=value], where keyword is:
+[no]vc (TCP mode)
+[no]tcp (TCP mode, alternate syntax)
+time=### (Set query timeout) [5]
+tries=### (Set number of UDP attempts) [3]
+retry=### (Set number of UDP retries) [2]
+domain=### (Set default domainname)
+bufsize=### (Set EDNS0 Max UDP packet size)
+ndots=### (Set NDOTS value)
+[no]edns[=###] (Set EDNS version) [0]
+[no]search (Set whether to use searchlist)
+[no]showsearch (Search with intermediate results)
+[no]defname (Ditto)
+[no]recurse (Recursive mode)
+[no]ignore (Don't revert to TCP for TC responses.)
+[no]fail (Don't try next server on SERVFAIL)
+[no]besteffort (Try to parse even illegal messages)
+[no]aaonly (Set AA flag in query (+[no]aaflag))
+[no]adflag (Set AD flag in query)
+[no]cdflag (Set CD flag in query)
+[no]cl (Control display of class in records)
+[no]cmd (Control display of command line)
+[no]comments (Control display of comment lines)
+[no]rrcomments (Control display of per-record comments)
+[no]question (Control display of question)
+[no]answer (Control display of answer)
+[no]authority (Control display of authority)
+[no]additional (Control display of additional)
+[no]stats (Control display of statistics)
+[no]short (Disable everything except short
form of answer)
+[no]ttlid (Control display of ttls in records)
+[no]all (Set or clear all display flags)
+[no]qr (Print question before sending)
+[no]nssearch (Search all authoritative nameservers)
+[no]identify (ID responders in short answers)
+[no]trace (Trace delegation down from root [+dnssec])
+[no]dnssec (Request DNSSEC records)
+[no]nsid (Request Name Server ID)
+[no]sigchase (Chase DNSSEC signatures)
+trusted-key=#### (Trusted Key when chasing DNSSEC sigs)
+[no]topdown (Do DNSSEC validation top down mode)
+[no]split=## (Split hex/base64 fields into chunks)
+[no]multiline (Print records in an expanded format)
+[no]onesoa (AXFR prints only one soa record)
global d-opts and servers (before host name) affect all queries.
local d-opts and servers (after host name) affect only that lookup.
-h (print help and exit)
-v (print version and exit)
So i filed a bug to https://bugzilla.redhat.com/show_bug.cgi?id=1640358
Description of problem:
9.9.13-P1 End-of-Life (EOL) as of July 2018
9.12.2-P2 Current-Stable Sept 2018 / Release Notes (HTML, PDF), EOL April 2019
9.11.4-P2 Current-Stable, ESV Sept 2018 / Release Notes (HTML, PDF), EOL Dec 2021
Version-Release number of selected component (if applicable):
scl
Installed Packages
Name : bind
Arch : x86_64
Epoch : 32
Version : 9.9.4
Release : 61.el7
Size : 4.3 M
Repo : installed
From repo : rhel-7-server-rpms
Summary : The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server
URL : http://www.isc.org/products/BIND/
License : ISC
How reproducible: Try to use the EDNS Test https://ednscomp.isc.org/ednscomp with dig
Steps to Reproduce:
1.dig +nocookie +norec +noad +edns=1 +noednsneg soa zone @server
2.dig +nocookie +norec +noad +ednsopt=100 soa zone @server
3.dig +nocookie +norec +noad +edns=1 +noednsneg +ednsopt=100 soa zone @server
4.dig +nocookie +norec +noad +ednsflags=0x80 soa zone @server
Actual results:
Option cookie, ednsneg not supported
Expected results: see https://ednscomp.isc.org/ednscomp
Additional info:
https://tools.ietf.org/html/rfc7871
https://dnsflagday.net/
The current DNS suffers from unnecessary delays and an inability to deploy new features. To remediate these problems, vendors of DNS software BIND (ISC), Knot Resolver (CZ.NIC), PowerDNS, and Unbound (NLnet Labs) are going to remove certain workarounds on February 1st, 2019.
This change affects only sites which operate broken software. Are you affected?
Yes, on Redhat 7.x we cannot even test it.