DNS flag day is here - are you prepared?

Happy DNS Flag Day Everyone!

There is a problem with the internet, and it isn't just trolls; it’s DNS. Okay, technically the problem isn't with DNS itself, but with the Domain Name System (DNS) resolvers; the client-side system responsible for translating DNS queries into the location of the resource requested.

This article is intended to provide an understandable summary of the problems that led to the creation of DNS flag day and what it may mean for you and your domains. So if you care to know more, read on!

What is the Problem?

The Domain Name System as we know it was developed in the 1980s and received significant updates in 1999 and 2013. It now supports Extended mechanisms for DNS (EDNS). These new mechanisms were implemented to expand the size of several parameters that were deemed too restrictive to permit growth of the protocol.

Unfortunately, not everyone has adhered to these standards, and have been allowing non-compliant or even broken DNS zone implementations. As a result, developers have implemented workarounds over the years to try and mitigate the issues this non-compliant code causes. These workarounds often cause multiple soft-failures or delays before achieving a successful route, thus slowing down DNS routing overall.  In simpler terms, until now they've been applying a band-aid fix, on top of a band-aid fix… eventually the time comes to "rip it all off" and fix the actual problem.

What’s Being Done?

After years of dealing with these issues, the major open-source DNS server vendors of the world, including CZ.NIC, ISC, PowerDNS, and NLnet Labs, announced a plan in March of 2018 to deprecate these workarounds: a cutoff date dubbed DNS flag day.  The date chosen as the beginning of the end, disowning these non-compliant implementations in favor of clean and better functioning DNS, is today, February 1st, 2019.

What Does That Mean?

• As an Administrator - On or around Feb 1st, 2019, the major open source resolver vendors involved, or observing DNS Flag Day, will release updates that will stop accommodating non-standard responses.  Domains with DNS hosted on incompatible authoritative servers may become unreachable through resolvers that have applied these updates.
  
  Specifically, the following list of DNS resolvers will not accommodate EDNS non-compliant responses:
  
  
• BIND 9.13.3 (development) and 9.14.0 (production)
• Knot Resolver has already implemented stricter EDNS handling in all current versions
• PowerDNS Recursor 4.2.0
• Unbound 1.9.0

As for Windows Server administrators, Microsoft’s statement includes the following:

Administrators will need to install enhancements when they become available on Windows Updates. You can also look for EDNS compliance related updates in the Windows Update History Knowledge Base articles under "Improvements and fixes."

• Domain Owners - If your DNS service provider’s DNS resolvers are not configured properly, it could cause your domains to be unresponsive or unreliable until the configuration is corrected.  The official DNS flag day website provides a helpful form to Test your domain if you are concerned you may be affected.
  
  
• Everyone Else - For the most part, only DNS resolver administrators or domain owners need to be concerned, but that’s not to say it doesn’t affect anyone else.  If a domain you visit is affected by faulty DNS resolver configurations, you may be unable to access that website until the issue corrected.

Does This Mean The Internet is Broken?

Nope! Not to worry, most of the major DNS providers backed this project, or stated their intention to comply with the established standards. For your peace of mind, here are list of providers that we know of that have done so:

• DNS flag day listed Supporters
• PowerDNS
• Facebook
• cz.nic
• Cisco
• CloudFlare
• CleanBrowsing
• ISC
• NLnet Labs
• Quad9
• Google
  
  
• Other Service Providers / Vendors
• Microsoft Azure
• Amazon Route53 (mostly... expect a possible warning but EDNS is supported)
• Akamai
• BlueCat
• F5 BIG-IP
• Juniper: Older versions of the Juniper SRX will drop EDNS packets by default. The workaround is to disable DNS doctoring via # set security alg dns doctoring none. Upgrade to latest versions for EDNS support.
• Infoblox

So Do I Need to Do Anything?

Assuming you’re either a DNS Administrator that’s on top of their game, or a domain owner with a reputable DNS provider, you should have nothing to worry about. As we listed above, a large number of the "big name" DNS service providers are either direct supporters of DNS flag day, or they have publicly announced their compliance, or at least their intention to do so.  If you think one of your domains is experiencing a DNS-related issue, reach out to our Support team and we will help you troubleshoot the issue you are having.

As always, the Cozaq Support team is ready and waiting should you have any questions or concerns about this, or any aspect of your hosting solution.