DNS Flag Day 2019!

The current DNS is unnecessarily slow and suffers from an inability to deploy new features. In order to rectify these issues, vendors of DNS software in conjunction with large public DNS providers will begin rolling out updates that remove certain workarounds from February 1st, 2019 onwards.

These changes will improve the efficiency of most DNS operations while allowing operators to deploy new functionality, including new mechanisms to protect against DDoS attacks.

Authoritative servers and sites operating software that does not comply with the main DNS standard (RFC1035) or the newer standards for Extensions to DNS EDNS, (RFC2671, RFC6891) will be impacted.  

The following versions of DNS resolvers will not accommodate EDNS non-compliant responses:

  • BIND 9.13.3 (development) and 9.14.0 (production).
  • Knot Resolver has already implemented stricter EDNS handling in all current versions.
  • PowerDNS Recursor 4.2.0.
  • Unbound 1.9.0.

Incompatible sites may become unreachable through updated resolvers.

We advise you to take the following preparatory steps to avoid operational problems:

  1. First of all, if you are a domain holder, use the test form below to check if your domain is already prepared for the upcoming changes.

Test your domain

It is only necessary to validate one zone if you have multiple zones on the same server or cluster of servers. Your test result will include advice on any further steps that may be necessary.

  1. It’s important to remember that random network instability can affect test results. Part of the problem is in interpreting timeouts, which can be caused by unresponsive DNS software, a firewall blocking the response, or packet loss on the Internet. If a problem is reported please retry the test.
  2. If the tested domain fails the test, update your DNS software to the latest stable version and repeat the test. If the domain fails the test again check your firewall configuration.
  3. Firewalls must not drop DNS packets with EDNS extensions. This includes unknown extensions which do follow the standards. Relevant information from vendors can be found here:
    • Akamai
    • BlueCat
    • F5 BIG-IP
    • Older versions of the Juniper SRX will drop EDNS packets by default. The workaround is to disable DNS doctoring via # set security alg dns doctoring none. Upgrade to latest versions for EDNS support.

If the problem persists after DNS software and firewall updates please reach out to us urgently by raising a ticket through our Portal Here.

Below is a list of service providers that have agreed to coordinate these upcoming DNS changes:

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Leave a Reply