dnsflagday

What is happening?

The current DNS suffers from unnecessary delays and an inability to deploy new features. To remediate these problems, vendors of DNS software BIND (ISC), Knot Resolver (CZ.NIC), PowerDNS, and Unbound (NLnet Labs) are going to remove certain workarounds on February 1st, 2019.

This change affects only sites which operate broken software. Are you affected?

Domain owners

Please check if your domain is affected:

Test your domain


DNS administrators

It is possible to test your DNS servers using the tool ednscomp. Simply enter the name of a zone hosted on your DNS servers into the zone name field and click the Submit button.

The summary result of ednscomp tests must be a green message All Ok.

If there is a problem, the ednscomp tool displays an explanation for each failed test. Failures in these tests are typically caused by:

To remediate problems please upgrade your DNS software to the latest stable versions and test again. If the tests are still failing even after a DNS upgrade please check your firewall configuration.

Firewalls must not drop DNS packets with EDNS extensions, including unknown extensions. Modern DNS software may deploy new extensions (e.g. DNS cookies to protect from DoS attacks). Firewalls which drop DNS packets with such extensions are making the situation worse for everyone, including worsening DoS attacks and inducing higher latency for DNS traffic.

DNS software developers

The main change is that DNS software from vendors named above will interpret timeouts as sign of a network or server problem. Starting February 1st, 2019 there will be no attempt to disable EDNS as reaction to a DNS query timeout.

This effectivelly means that all DNS servers which do not respond at all to EDNS queries are going to be treated as dead.

Please test your implementations using the ednscomp tool to make sure that you handle EDNS properly. Source code of the tool is available as well.

It is important to note that EDNS is still not mandatory. If you decide not to support EDNS it is okay as long as your software replies according to EDNS standard section 7.

Presentations

Tools

Contacts

Supporters

PowerDNS

ISC

NLnet Labs

CZ.NIC

Quad9

CleanBrowsing

Additional reading