DNS Flag Day - will it affect you?
DNS Flag Day – February 1, 2019
A number of DNS software and service providers (including ISC) have announced that they will all cease implementing DNS resolver workarounds to accommodate DNS authoritative systems that don’t follow the EDNS protocol. Each software vendor has pledged to roll out this change in some version of their software by the ‘Flag Day.’ Resolver service providers who have indicated their support for DNS Flag day will be making similar changes to their online recursive services on, or soon after February 1 2019.
Why is this happening?
Resolvers have been accommodating non-compliant or broken authoritative DNS zone implementations since EDNS became part of DNS protocol standards, originally in 1991. Typically this involves sending additional queries to authoritative servers when they fail to respond, or respond in an unexpected way to DNS queries that include EDNS options. This means that:
- For all DNS resolver implementations, the code is unnecessarily complex and makes future feature development and maintenance harder
- DNS zones hosted on non-compliant or broken servers (or servers behind broken or non-compliant firewalls and load balancers) will be slower to resolve; this will degrade the end user experience with symptoms that may include slow access to services/sites, intermittent failures to reach sites and email problems
- Resolver performance can be affected by the additional recursive retries needed to scan and assess the compatibility of authoritative servers; updating resolvers to remove workarounds may make them slightly more efficient.
In addition, zones hosted on servers that don't support current DNS standards will not be able to take advantage of modern feature developments in the areas of privacy, security and DDoS mitigation.
My authoritative zone is hosted on my own servers - will I be affected by DNS Flag Day?
You need to check whether or not you are going to be affected. If you are running current versions of DNS software on your server(s), then you are unlikely to be affected by DNS Flag day unless you are also using load balancers and/or firewalls that are incompletely/incorrectly configured or that are unaware of current DNS protocol standards. We recommend that you test your domains to ensure that your services remain accessible after DNS flag day.
More information for those responsible for their own DNS domains (self-hosted or service-provided) can be found here:
How do I test my own zones?
You can use the online testing tool hosted by ISC here:
This tool is also available indirectly at https://dnsflagday.net/
The hosted testing tool is intended for low-volume use - therefore if you need to check a large number of domains, we recommend instead that you download and run it locally - is available for download from https://gitlab.isc.org/isc-projects/DNS-Compliance-Testing. You might also be interested in Testing EDNS compliance directly using dig.
www.isc.orgalthough this may not always be the case. If the testing tools give you a failure to reach any DNS servers with
www.myservice.mydomain.comthen retry the test using just
myservice.mydomain.comand then perhaps also
yourdomain.comto ensure that you're not negatively impacted by DNS Flag Day
I am using a third party DNS hosting service - will I be affected by DNS Flag Day?
We recommend that you test your domains to ensure that your services remain accessible after DNS flag day and contact your DNS provider directly if you have any concerns.
How will DNS Flag Day affect DNS Hosting Service Providers?
Your customers may already be testing their zones hosted with yourselves and asking you questions about EDNS compliance. We have seen several instances where Rate Limiting by a DNS hosting company has resulted in testing failures being reported back to the zone owner by the online testing tools (see notes above). We recommend therefore that you whitelist the IP addresses of ednscomp.isc.org (or give those addresses a much higher permitted query rate) to prevent false-positives being reported.
As with those hosting their own zones, to avoid problems after 1st February 2019, ensure that:
- You are running current versions of DNS server software (from your software or appliance vendor or OS packager)
- If running OpenSource DNS software indirectly obtained via your OS packager, compare this with the latest versions available directly from the packager, and check also that for authoritative services, this is a fully EDNS-compliant version that should not cause problems with DNS resolution after DNS flag day. We have the major vendor statements on this listed here: https://www.isc.org/blogs/dns-flag-day/
- Test externally that your servers always respond to client queries, even those using EDNS options that you do not (yet) support
- Test externally that your servers always respond to client queries received over TCP
- Upgrade or reconfigure or any firewalls, packet filters or load balancers that are causing client queries to be dropped (even though your DNS servers would respond properly when queried directly).
How will DNS Flag Day affect Internet Service Providers?
Operators of DNS Resolvers (Recursive DNS services) provided to a client base should not experienced any problems relating to DNS resolution failures until they upgrade their servers to one of the versions that removes the workarounds for failures (predominantly workarounds for server timeouts instead of responding to queries that contain EDNS options).
How will DNS Flag Day affect Corporate Resolvers?
The situation is very similar for Resolvers that you run on behalf of your company or business in order for your staff to access online services as it is for ISPs, so you should not see any difference in the availability of broken sites until you upgrade your resolvers to a version that no longer includes the workarounds. The exception to this would be where your users have configured their devices to use other resolver services instead of your servers.
Thoughts for Registries and Registrars
The provisioning of zones is the responsibility of the delegated zone owner. Nevertheless there is scope for zone registries and registrars to support DNS Flag Day by taking a more proactive role in preventing DNS problems by verifying that the zones that they delegate and/or register are EDNS-compliant, and following up on those where problems are identified. Some pioneering work has already been undertaken by several TLDs, as reported at DNS-OARC 29 and 39th CENTR Technical Workshop in October 2018 by Sebastián Castro of .NZ and Hugo Salgado of .CL
To complete this type of analysis, it is necessary to run your own scanning tools; a good starting point is the EDNS Compliance scanner for DNS zones from CZ.NIC, available here: https://gitlab.labs.nic.cz/knot/edns-zone-scanner/
DNS Flag Day and beyond
Although DNS Flag Day has been declared as the date on which Resolvers will stop accommodating non-compliant implementations by removing some workarounds, this is just a first step. There are many servers that will survive DNS Flag Day by responding to DNS queries that include EDNS options, but by doing so brokenly.
Whilst continuing to serve their zones without failure now, those servers in the future will not be able to provide new performance, security and privacy features that use EDNS-based negotiation. All EDNS compliance issues (not just those that will cause immediate problems) are being highlighted by the EDNS testing tools and online reports so that authoritative zone administrators are able to learn that their zones are likely to encounter more problems in the future and can proactively fix their implementations.