Meanwhile, out in the real world, it seems DNS servers has been gentle to mostly-but-not-quite-compliant DNS installations.
The current DNS is unnecessarily slow and suffers from inability to deploy new features. To remediate these problems, vendors of DNS software and also big public DNS providers are going to remove certain workarounds on February 1st, 2019.
This change affects only sites which operate software which is not following published standards. Are you affected?
DNS Root servers that do not support EDNS standard (standardised in 1999) will respond with badly formed responses. Caching or resolving DNS servers have been tolerant of these problems but the code is fragile and prevents new features. Over time, DNS server software such as BIND will no longer compensate.
If you host domains on your own DNS software or using an appliance such as a load balancer or firewall, you should verify if its compliant and fix that. Check your domains at dnsflagday.net
Things that Matter
- Most hosted DNS services are already compliant – some test results are here
- BIND 9.14 (stable) will be released early 2019 – removes resolver workarounds for servers that misbehave when queried with EDNS.
- Companies who provide public resolvers (recursive servers) will, over a short period of time, drop workarounds and thus stop resolving broken domains
- Appliance vendors whose DNS engine is based on obsolete source code, will also over time drop workarounds and stop resolving broken domains
- This presentation covered the topics nicely Link: Is your DNS server up-to-date? – http://loadays.org/files/plexis-edns-workaround-removal-loadays-2018.pdf
TLDR: DNS servers which do not respond at all to EDNS queries are going to be treated as dead.
Extension mechanisms for DNS (EDNS) is a specification for expanding the size of several parameters of the Domain Name System (DNS) protocol which had size restrictions that the Internet engineering community deemed too limited for increasing functionality of the protocol. The first set of extensions was published in 1999 by the Internet Engineering Task Force as RFC 2671, also known as EDNS0.
– Extension mechanisms for DNS – Wikipedia – Retrieved 16 Jan, 2019
RFC 6891 defines a backward compatible mechanism to signal support for new DNS options. Original specification includes support for DNS responses larger than 512 bytes, extended response codes, etc.
Until now, EDNS servers would respond to legacy DNS requests:
The mechanism is backward compatible, because older DNS responders ignore any RR of the unknown OPT type in a request and a newer DNS responder never includes an OPT in a response unless there was one in the request. The presence of the OPT in the request signifies a newer requester that knows what to do with an OPT in the response.
– Retrieved 16 Jan, 2019
As I understand it, new features for DNS means that supporting legacy DNS is holding back progress.
So, what’s the problem?
Authoritative DNS servers block responses, or don’t answer, or answer with the
In general, bad implementations of DNS not following the standards
Poorly implemented firewalls on the way, poor firewall rules blocking valid traffic or
unaware of the standards
Resolvers have to send a query, wait for a timeout and retry using a different
method: TCP or discard EDNS
Forces delays and thwarts innovation and deployment of new features
The ISC has determined that most internet domain names are using EDNS so forcing compliance will have limited impact.
The ISC is responsible for DNS and DHCP for the public benefit of internet. It works closely with the IETF to publish standards on DNS and DHCP.
Founded in 1994, ISC develops and distributes three open source Internet networking software packages: BIND 9, ISC DHCP, and Kea DHCP. BIND 9, ISC’s Domain Name System (DNS) software program, is widely used on the Internet by enterprises and service providers, offering a robust and stable platform on top of which organizations can build distributed computing systems.
Other Things to Check
- Check that any load-balancers or DNS proxies are compliant (and/or correctly configured) ?
- Do you have firewalls or routers that are trying to inspect DNS packets but which don’t understand modern DNS protocol?
- Does your infrastructure block DNS over TCP?
- Test your public domain here to test your provider – DNS Flag Day Site – https://dnsflagday.net/
Presentation : UKNOF 42 – DNS Flag day and beyond – how will it affect you? – Cathy Almond, ISC https://indico.uknof.org.uk/event/44/contributions/580/attachments/886/1082/UKNOF42-DNS-Flag_Day-2019-01-15-CA3.pdf
(Video should appear on UKNOF Conf youtube in a few days I hope)
DNS Flag Day – February 1, 2019 | Internet Systems Consortium : https://www.isc.org/blogs/dns-flag-day/
DNS Flag Day Site – You can test your domain here