Peplink DNS, DNSSEC, EDNS


#1

Urgent request for Peplink to update the code for their DNS to support EDNS and DNSSEC. Major DNS services on the internet will implement new policies soon.
" Starting February 1st, 2019 there will be no attempt to disable EDNS as reaction to a DNS query timeout.
This effectivelly means that all DNS servers which do not respond at all to EDNS queries are going to be treated as dead . It is important to note that EDNS is still not mandatory. If you decide not to support EDNS it is “okay” as long as your software replies according to EDNS standard section 7. ." https://dnsflagday.net/

I feel that supporting DNSSEC (introduced in 1997) is long overdue. Full EDNS compliance can provide support for DNS cookies (introduced 2014) to help mitigate DNS DDOS attacks, which are on the rise. https://www.isc.org/blogs/partial-edns-compliance-hampers-deployment-of-new-dns-features/


#2

This has already been noted. We are working on it. It will be addressed before the deadline.


#3

The DDNS service has been updated. Tests passed.
image


#4

Do you have an ETA for a firmware update for the DNS services on our dual Balance 2500’s?


#5

Is there any additional information available on a firmware update/release regarding DNS by the first week of January 2019? If our pair of peplink balance 2500’s will not comply with DNSSEC and EDNS policies, we will be forced to abandon them completely and install and test another solution prior to Feb 1st. I don’t want to wait until Jan 31st to begin a new rollout for our external DNS solution. Thank You


#7

Can you please provide an ETA for this feature ?
In fact we cannot wait until the last day before the 1st of Feb…

Regards,

HA


#9

Since there is no ETA for EDNS, DNSSEC, or even an indication of compliance in DNS response,etc…come Jan 11th I will have 2 each Balance 2500’s for sale - they were installed in 2017 and have about 1.5 years of full warranty left. I can’t continue to use them as our auth DNS which was their only remaining function since BGP compatibility wasn’t available at the time we were forced to move to BGP. They’ve been a terrific product for certain applications, but they are getting further and further behind in their compatibility with today’s networking standards and security. Contact me if you are interested in purchasing.


#10

We are actually working on the DNS flag day compliance support.
7.1.2 special firmware will be ready to release on the coming week and the support will also be included in 8.0.0 GA firmware.
We will keep you posted here when the special build is ready.


#11

Hi Peplink Team,

It seems that release 8.0.0 (Beta release) is available.
Does it support EDNS ?
No info in the release notes…

Regards,

HA


#12

@HA13029

The latest version 8.0 beta 2 is not included the enhancement yet. Confirmed with Engineering team version 8.0 GA will included the feature.

We will have the special firmware for 7.1.2 that compliance with EDNS, DNSSEC this week. We will post the download link here when the firmware is ready.


Special updated Firmware 7.1.2 and 6.3.5 with EDNS compliance
#13

Will this be backported to 6.3.4 for older HW versions? This will make older hardware obsolete if not.


#14

Yes, we will have a special firmware for the older hardware version!


#15

Any chance we get the release one week BEFORE the deadline ?
Customers start to become really nervous…

Regards,

HA


#16

my customer wait update.


#17

now firmware 7.1.2 support DNS flag day?
or wait 7.1.2 special firmware?


#18

Hi Peplink team,

It’s now absolutely required to get the exact date of the release !
We receive a lot of complains from our customers about the lack of information from Peplink support about this issue

EDNS flag is well known since a while and seems to be ignored by Peplink…
We are ten days before the deadline…

Regards,

HA


#19

Special build 7.1.2 firmware with EDNS compliance has now been published.
See: Special updated Firmware 7.1.2 with EDNS compliance


#20

Many thanks for your help !