add documentation

5e371908 · Evan Hunt · Mark Andrews · 615ebc39 · 5e371908 · 5e371908
Commit 5e371908 authored Aug 30, 2018 by Evan Hunt Committed by Mark Andrews Aug 31, 2018
--- a/CHANGES
+++ b/CHANGES
+5029.	[func]		Workarounds for servers that misbehave when queried
+			with EDNS have been removed, because these broken
+			servers and the workarounds for their noncompliance
+			cause unnecessary delays, increase code complexity,
+			and prevent deployment of new DNS features. See
+			https://dnsflagday.net for further details. [GL #150]
+
 5028.	[bug]		Spread the initial RRSIG expiration times over the
 			entire working sig-validity-interval when signing a
 			zone in named to even out re-signing and transfer

--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -17139,7 +17139,58 @@ allow-query { !{ !10/8; any; }; key example; };
 	    source of hints and information that can be used to figure out
 	    what went wrong and how to fix the problem.
 	  </para>
+	</section>
  
+	<section><info><title>EDNS compliance issues</title></info>
+	  <para>
+	    EDNS (Extended DNS) is a standard that was first specified
+	    in 1999. It is required for DNSSEC validation, DNS COOKIE
+	    options, and other features. There are broken and outdated
+	    DNS servers and firewalls still in use which misbehave when
+	    queried with EDNS; for example, they may drop EDNS queries
+	    rather than replying with FORMERR. BIND and other recursive
+	    name servers have traditionally employed workarounds in this
+	    situation, retrying queries in different ways and eventually
+	    falling back to plain DNS queries without EDNS.
+	  </para>
+	  <para>
+	    Such workarounds cause unnecessary resolution delays,
+	    increase code complexity, and prevent deployment of new DNS
+	    features. As of February 2019, all major DNS software vendors
+	    have agreed to remove these workarounds; see
+	    <link xmlns:xlink="http://www.w3.org/1999/xlink"
+	      xlink:href="https://dnsflagday.net">https://dnsflagday.net</link>
+	    for further details. This change was implemented in BIND
+	    as of release 9.14.0.
+	  </para>
+	  <para>
+	    As a result, some domains may be non-resolvable without manual
+	    intervention.  In these cases, resolution can be restored by
+	    adding <command>server</command> clauses for the offending
+	    servers, specifying <command>edns no</command> or
+	    <command>send-cookie no</command>, depending on the specific
+	    noncompliance.
+	  </para>
+	  <para>
+	    To determine which <command>server</command> clause to use,
+	    run the following commands to send queries to the authoritative
+	    servers for the broken domain:
+	  </para>
+  <literallayout>
+	    dig soa &lt;zone&gt; @&lt;server&gt; +dnssec
+	    dig soa &lt;zone&gt; @&lt;server&gt; +dnssec +nocookie
+	    dig soa &lt;zone&gt; @&lt;server&gt; +noedns
+  </literallayout>
+	  <para>
+	    If the first command fails but the second succeeds, the
+	    server most likely needs <command>send-cookie no</command>.
+	    If the first two fail but the third succeeds, then the server
+	    needs EDNS to be fully disabled with <command>edns no</command>.
+	  </para>
+	  <para>
+	    Please contact the administrators of noncompliant domains
+	    and encourage them to upgrade their broken DNS servers.
+	  </para>
 	</section>
      </section>
      <section><info><title>Incrementing and Changing the Serial Number</title></info>

--- a/doc/arm/notes.xml
+++ b/doc/arm/notes.xml
@@ -156,6 +156,47 @@

  <section xml:id="relnotes_removed"><info><title>Removed Features</title></info>
    <itemizedlist>
+      <listitem>
+	<para>
+	  Workarounds for servers that misbehave when queried with EDNS
+	  have been removed, because these broken servers and the
+	  workarounds for their noncompliance cause unnecessary delays,
+	  increase code complexity, and prevent deployment of new DNS
+	  features. See <link xmlns:xlink="http://www.w3.org/1999/xlink"
+	    xlink:href="https://dnsflagday.net">https://dnsflagday.net</link>
+	  for further details.
+	</para>
+	<para>
+	  In particular, resolution will no longer fall back to
+	  plain DNS when there was no response from an authoritative
+	  server.  This will cause some domains to become non-resolvable
+	  without manual intervention.  In these cases, resolution can
+	  be restored by adding <command>server</command> clauses for the
+	  offending servers, specifying <command>edns no</command> or
+	  <command>send-cookie no</command>, depending on the specific
+	  noncompliance.
+	</para>
+	<para>
+	  To determine which <command>server</command> clause to use, run
+	  the following commands to send queries to the authoritative
+	  servers for the broken domain:
+	</para>
+<literallayout>
+	  dig soa &lt;zone&gt; @&lt;server&gt; +dnssec
+	  dig soa &lt;zone&gt; @&lt;server&gt; +dnssec +nocookie
+	  dig soa &lt;zone&gt; @&lt;server&gt; +noedns
+</literallayout>
+	<para>
+	  If the first command fails but the second succeeds, the
+	  server most likely needs <command>send-cookie no</command>.
+	  If the first two fail but the third succeeds, then the server
+	  needs EDNS to be fully disabled with <command>edns no</command>.
+	</para>
+	<para>
+	  Please contact the administrators of noncompliant domains
+	  and encourage them to upgrade their broken DNS servers. [GL #150]
+	</para>
+      </listitem>
      <listitem>
 	<para>
 	  Previously, it was possible to build BIND without thread support