[j-nsp] DNS Flag Day

Olivier Benghozi olivier.benghozi at wifirst.fr
Fri Jan 25 07:21:48 EST 2019


It would mean that they run something older than 10.2 JunOS, that is a prehistoric release, which would be criminal in term of security.
Anyway, putting stateful firewalls in front of DNS servers is a nonsense from the beginning.

> Le 25 janv. 2019 à 13:06, Christian Scholz <chs at ip4.de> a écrit :
> 
> What they told you sounds like bullshit to me. From 10.2 on there are no special settings required. Maybe they don’t know how to do it?
> 
> So I guess they are just very lazy or don’t know better and blame the firewall... I pray for you that they don’t run Code below 10.2...
> 
> https://kb.juniper.net/InfoCenter/index?page=content&id=KB23569&cat=SRX_5600_1&actp=LIST
> 
> 
> Am 25.01.2019 um 12:53 schrieb sthaug at nethelp.no:
> 
>>> When doing some investigation for the upcoming DNS Flag Day (https://dnsflagday.net: February 1st 2019) I got some bad news from one of the service providers: they use Juniper SRX firewalls, and claim that they can't properly support EDNS because of a bug in their SRX firewalls. This seems outrageous to me. Is this just because they haven't upgraded their JunOS for years, they're running ancient DNS server software, or is there really a problem?
>> 
>> See
>> 
>> https://mailman.nanog.org/pipermail/nanog/2019-January/099180.html
>> 
>> "Juniper and Checkpoint have newer code that doesn't do this."



More information about the juniper-nsp mailing list