DNS Flag Day – February 1st 2019

A number of DNS software and service providers have announced that they will all cease implementing DNS resolver workarounds to accommodate DNS authoritative systems that don’t follow the Extensions to DNS (EDNS) protocol. Each vendor has pledged to roll out this change in some version of their software by the ‘Flag Day.’

Who will this affect?

We anticipate that DNS Flag Day initially is going to affect users of cloud-based resolver services who want to access services via DNS zones hosted on broken and non-compliant servers. These services may become unreachable, slow to access or intermittently unavailable. This impact will become increasingly widespread as ISPs and businesses update their own resolvers to versions that no longer implement workarounds. We therefore urge zone owners to take steps to ensure that they are not affected by this and that their services remain fully available from 1 February 2019 onwards.

Why is this happening?

Resolvers have been accommodating non-compliant or broken authoritative DNS zone implementations since EDNS became part of DNS protocol standards, originally in 1991. Typically this involves sending additional queries to authoritative servers when they fail to respond, or respond in an unexpected way to DNS queries that include EDNS options. This means that:

• For all DNS resolver implementations, the code is unnecessarily complex and makes future feature development and maintenance harder
• DNS zones hosted on non-compliant or broken servers (or servers behind broken or non-compliant firewalls and load balancers) will be slower to resolve; this will degrade the end user experience with symptoms that may include slow access to services/sites, intermittent failures to reach sites and email problems
• Resolver performance can be affected by the additional recursive retries needed to scan and assess the compatibility of authoritative servers; updating resolvers to remove workarounds may make them slightly more efficient.

In addition, zones hosted on servers that don’t support current DNS standards will not be able to take advantage of modern feature developments in the areas of privacy, security and DDoS mitigation.

My authoritative zone is hosted on my own servers – will I be affected by DNS Flag Day?

You need to check whether or not you are going to be affected. If you are running current versions of DNS software on your server(s), then you are unlikely to be affected by DNS Flag day unless you are also using load balancers and/or firewalls that are incompletely/incorrectly configured or that are unaware of current DNS protocol standards. We recommend that you test your domains to ensure that your services remain accessible after DNS flag day.
More information for those responsible for their own DNS domains (self-hosted or service-provided) can be found here:
https://kb.isc.org/v1/docs/dns-flag-day-notes-for-authoritative-zones

How do I test my own zones?

You can use the online testing tool hosted by ISC here:
https://ednscomp.isc.org/ednscomp/
This tool is also available indirectly at https://dnsflagday.net/
The hosted testing tool is intended for low-volume use – therefore if you need to check a large number of domains, we recommend instead that you download and run it locally – is available for download from https://gitlab.isc.org/isc-projects/DNS-Compliance-Testing. You might also be interested in Testing EDNS compliance directly using dig.