DNS Flag Day - will it affect you?
  • 15 Sep 2020
  • 8 Minutes to read
  • Contributors
  • Dark
    Light
  • PDF

DNS Flag Day - will it affect you?

  • Dark
    Light
  • PDF

Article Summary

DNS Flag Day – February 1, 2019

A number of DNS software and service providers (including ISC) have announced that they will all cease implementing DNS resolver workarounds to accommodate DNS authoritative systems that don’t follow the EDNS protocol. Each software vendor has pledged to roll out this change in some version of their software by the ‘Flag Day.’ Resolver service providers who have indicated their support for DNS Flag day will be making similar changes to their online recursive services on, or soon after February 1 2019.
https://dnsflagday.net/
https://www.isc.org/blogs/dns-flag-day/

Who will this affect?
We anticipate that DNS Flag Day initially is going to affect users of cloud-based resolver services who want to access services via DNS zones hosted on broken and non-compliant servers. These services may become unreachable, slow to access or intermittently unavailable. This impact will become increasingly widespread as ISPs and businesses update their own resolvers to versions that no longer implement workarounds. We therefore urge zone owners to take steps to ensure that they are not affected by this and that their services remain fully available from 1 February 2019 onwards

Why is this happening?

Resolvers have been accommodating non-compliant or broken authoritative DNS zone implementations since EDNS became part of DNS protocol standards, originally in 1991. Typically this involves sending additional queries to authoritative servers when they fail to respond, or respond in an unexpected way to DNS queries that include EDNS options. This means that:

  • For all DNS resolver implementations, the code is unnecessarily complex and makes future feature development and maintenance harder
  • DNS zones hosted on non-compliant or broken servers (or servers behind broken or non-compliant firewalls and load balancers) will be slower to resolve; this will degrade the end user experience with symptoms that may include slow access to services/sites, intermittent failures to reach sites and email problems
  • Resolver performance can be affected by the additional recursive retries needed to scan and assess the compatibility of authoritative servers; updating resolvers to remove workarounds may make them slightly more efficient.

In addition, zones hosted on servers that don't support current DNS standards will not be able to take advantage of modern feature developments in the areas of privacy, security and DDoS mitigation.

My authoritative zone is hosted on my own servers - will I be affected by DNS Flag Day?

You need to check whether or not you are going to be affected. If you are running current versions of DNS software on your server(s), then you are unlikely to be affected by DNS Flag day unless you are also using load balancers and/or firewalls that are incompletely/incorrectly configured or that are unaware of current DNS protocol standards. We recommend that you test your domains to ensure that your services remain accessible after DNS flag day.
More information for those responsible for their own DNS domains (self-hosted or service-provided) can be found here:
https://kb.isc.org/v1/docs/dns-flag-day-notes-for-authoritative-zones

How do I test my own zones?

You can use the online testing tool hosted by ISC here:
https://ednscomp.isc.org/ednscomp/
This tool is also available indirectly at https://dnsflagday.net/
The hosted testing tool is intended for low-volume use - therefore if you need to check a large number of domains, we recommend instead that you download and run it locally - is available for download from https://gitlab.isc.org/isc-projects/DNS-Compliance-Testing. You might also be interested in Testing EDNS compliance directly using dig.

Test domain names only
The compliance testing tools and techniques assume that you are providing the DNS domain name. Typically this means testing (for example) isc.org rather than www.isc.orgalthough this may not always be the case. If the testing tools give you a failure to reach any DNS servers with www.myservice.mydomain.com then retry the test using just myservice.mydomain.com and then perhaps also mydomain.com
Some load-balancing solutions use 'www.yourdomain.com' as a DNS zone
If you are using a load-balancing solution in front of your main DNS services, it may have been implemented by creating a delegated subdomain of your zone using 'www'. Therefore you will need to test for compliance from both www.yourdomain.com and yourdomain.com to ensure that you're not negatively impacted by DNS Flag Day

I am using a third party DNS hosting service - will I be affected by DNS Flag Day?

We recommend that you test your domains to ensure that your services remain accessible after DNS flag day and contact your DNS provider directly if you have any concerns.

You may see some false-positives when testing hosted domains
Some popular zone hosting organisations that are operating fully-compliant services may appear to fail when tested using the online testing tools. This is because they apply rate limiting techniques against Denial of Service attacks, and the volume of test queries from customers checking their domains is causing some test queries to be dropped. We recommend testing on more than one occasion and checking for a consistent pattern of failures across test runs before contacting your provider.

How will DNS Flag Day affect DNS Hosting Service Providers?

Your customers may already be testing their zones hosted with yourselves and asking you questions about EDNS compliance. We have seen several instances where Rate Limiting by a DNS hosting company has resulted in testing failures being reported back to the zone owner by the online testing tools (see notes above). We recommend therefore that you whitelist the IP addresses of ednscomp.isc.org (or give those addresses a much higher permitted query rate) to prevent false-positives being reported.
As with those hosting their own zones, to avoid problems after 1st February 2019, ensure that:

  • You are running current versions of DNS server software (from your software or appliance vendor or OS packager)
  • If running OpenSource DNS software indirectly obtained via your OS packager, compare this with the latest versions available directly from the packager, and check also that for authoritative services, this is a fully EDNS-compliant version that should not cause problems with DNS resolution after DNS flag day. We have the major vendor statements on this listed here: https://www.isc.org/blogs/dns-flag-day/
  • Test externally that your servers always respond to client queries, even those using EDNS options that you do not (yet) support
  • Test externally that your servers always respond to client queries received over TCP
  • Upgrade or reconfigure or any firewalls, packet filters or load balancers that are causing client queries to be dropped (even though your DNS servers would respond properly when queried directly).

How will DNS Flag Day affect Internet Service Providers?

Operators of DNS Resolvers (Recursive DNS services) provided to a client base should not experienced any problems relating to DNS resolution failures until they upgrade their servers to one of the versions that removes the workarounds for failures (predominantly workarounds for server timeouts instead of responding to queries that contain EDNS options).

Some ISP clients may have redirected their DNS resolver service
It is worth bearing in mind that although most CPE devices are configured to offer the DNS service of the ISP to which they connect, that it's not unsual to encounter users who change their configuration to make use of an alternative resolver. Users may also make similar changes to their own equipment and devices. We therefore recommend that ISPs educate their customer-facing helpdesks about DNS Flag Day and include in their troubleshooting agenda when handling customer issues regarding specific site(s) unreachability some checks for which DNS service is being used and whether or not the authoritative zone has problems

How will DNS Flag Day affect Corporate Resolvers?

The situation is very similar for Resolvers that you run on behalf of your company or business in order for your staff to access online services as it is for ISPs, so you should not see any difference in the availability of broken sites until you upgrade your resolvers to a version that no longer includes the workarounds. The exception to this would be where your users have configured their devices to use other resolver services instead of your servers.

You might also encounter issues with internal-only DNS domains that are accessible only via your internal resolvers. Before upgrading, you need to ensure that those too are EDNS-compliant. Note: you will not be able to use the online tools to test these internal-only domains

Thoughts for Registries and Registrars

The provisioning of zones is the responsibility of the delegated zone owner. Nevertheless there is scope for zone registries and registrars to support DNS Flag Day by taking a more proactive role in preventing DNS problems by verifying that the zones that they delegate and/or register are EDNS-compliant, and following up on those where problems are identified. Some pioneering work has already been undertaken by several TLDs, as reported at DNS-OARC 29 and 39th CENTR Technical Workshop in October 2018 by Sebastián Castro of .NZ and Hugo Salgado of .CL
To complete this type of analysis, it is necessary to run your own scanning tools; a good starting point is the EDNS Compliance scanner for DNS zones from CZ.NIC, available here: https://gitlab.labs.nic.cz/knot/edns-zone-scanner/

DNS Flag Day and beyond

Although DNS Flag Day has been declared as the date on which Resolvers will stop accommodating non-compliant implementations by removing some workarounds, this is just a first step. There are many servers that will survive DNS Flag Day by responding to DNS queries that include EDNS options, but by doing so brokenly.
Whilst continuing to serve their zones without failure now, those servers in the future will not be able to provide new performance, security and privacy features that use EDNS-based negotiation. All EDNS compliance issues (not just those that will cause immediate problems) are being highlighted by the EDNS testing tools and online reports so that authoritative zone administrators are able to learn that their zones are likely to encounter more problems in the future and can proactively fix their implementations.