Package: bind9 Version: 1:9.10.3.dfsg.P4-12.3+deb9u5 Severity: normal Hello,
Please deliver a default configuration which prevents fragmentation of UDP EDNS datagrams. DNS Flag Day 2020 is focusing "on the operational and security problems in DNS caused by Internet Protocol packet fragmentation." https://dnsflagday.net/ They recommend: options { edns-udp-size 1232; max-udp-size 1232; }; FYI, it seems the DNS Flag Day people involve some big players. They are interested in removing work-arounds from their own systems which provide interoperability with other people's poorly configured or poorly operating DNS servers. Regards, Karl -- System Information: Debian Release: 9.11 APT prefers oldstable APT policy: (500, 'oldstable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-11-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages bind9 depends on: ii adduser 3.115 ii bind9utils 1:9.10.3.dfsg.P4-12.3+deb9u5 ii debconf [debconf-2.0] 1.5.61 ii init-system-helpers 1.48 ii libbind9-140 1:9.10.3.dfsg.P4-12.3+deb9u5 ii libc6 2.24-11+deb9u4 ii libcap2 1:2.25-1 ii libcomerr2 1.43.4-2+deb9u1 ii libdns162 1:9.10.3.dfsg.P4-12.3+deb9u5 ii libgeoip1 1.6.9-4 ii libgssapi-krb5-2 1.15-1+deb9u1 ii libirs141 1:9.10.3.dfsg.P4-12.3+deb9u5 ii libisc160 1:9.10.3.dfsg.P4-12.3+deb9u5 ii libisccc140 1:9.10.3.dfsg.P4-12.3+deb9u5 ii libisccfg140 1:9.10.3.dfsg.P4-12.3+deb9u5 ii libk5crypto3 1.15-1+deb9u1 ii libkrb5-3 1.15-1+deb9u1 ii liblwres141 1:9.10.3.dfsg.P4-12.3+deb9u5 ii libssl1.0.2 1.0.2t-1~deb9u1 ii libxml2 2.9.4+dfsg1-2.2+deb9u2 ii lsb-base 9.20161125 ii net-tools 1.60+git20161116.90da8a0-1 ii netbase 5.4 bind9 recommends no packages. Versions of packages bind9 suggests: ii bind9-doc 1:9.10.3.dfsg.P4-12.3+deb9u5 ii dnsutils 1:9.10.3.dfsg.P4-12.3+deb9u5 pn resolvconf <none> pn ufw <none> -- debconf information excluded
