What is DNS Flag Day 2019?
In an effort to modernize and streamline the Domain Name System (DNS) ecosystem, a number of DNS software and service providers have come together to remove accommodations for non-compliant responses from the original DNS standard.
Together, these providers will remove accommodations for older, non-compliant DNS implementations. The chosen date is February 1st, 2019.
If you’re an every internet user, this won’t have much impact (probably) as it will only affect domains running on the original, non-compliant DNS standard. If you run or operate your own website, you can check to ensure your site is using a compliant DNS implementation here: https://dnsflagday.net
For those of you that live in the DNS world, this shouldn’t come as any news as it’s been in planning for some time. But you can learn more by visiting: https://dnsflagday.net/#dns-admins. The DNS Flag Day website provides guidance for a range of DNS resolvers, software, firewalls, and more.
The following DNS resolvers will no longer accommodate EDNS non-compliant responses:
- BIND 9.13.3 (development) and 9.14.0 (production)
- Knot Resolver (already implemented in all current versions)
- PowerDNS Recursor 4.2.0
- Unbound 1.9.0
A Brief History of DNS and EDNS
The internet has come along way since the early 1980s, but the Domain Name System—the decentralized infrastructure that serves as a phone book to access content and services across the web—really hasn’t changed much. For the most part, that’s a good thing. It has served as a stable solution over the years, translating encoded computer addresses (e.g. IPv4 and IPv6) into readable and memorable website URLs. This consistency has spurred on growth and innovation over the years while providing convenience and—in many cases—security options for network providers.
But time is the great equalizer, and eventually all technology begins to see wear around the edges. DNS is no exception. The original DNS standard from 1987 (RFC1035) served the internet well until 1999 when the newer Extension mechanisms for DNS (EDNS, also sometimes referred to as Enhanced DNS) was proposed and adopted. The original DNS standard restricted UDP messages to a maximum of 512 bytes and failed to consider Internet Protocol (IP), transport layer headers, and a number of other mechanisms—many of which have grown increasingly important for network security.
When EDNS was proposed in 1999, it extended the capabilities of DNS allowing for additional flags and response codes. EDNS allowed for additional data to be included in requests and responses. These are known as pseudo Resource Records (RR). It also introduced a new record type: OPT. OPT records do not exist in a zone file, instead they are encoded into the requests/responses. The design of EDNS also supported backwards compatibility for systems running the earlier DNS standard—as the older standard simply ignores unknown RR types.
While the new EDNS standard offered functional improvements with large response packets, it also introduced some problems, like DNS amplification attacks, that arose due to coexistence with the older standard.
And this is where we still reside nearly 20 years later. DNS Flag Day 2019 will help us move one step closer to a faster, safer, and more heterogeneous DNS ecosystem that best serves us all.
For a full list of DNS Flag Day 2019 supporters, visit: https://dnsflagday.net/#supporters
For minimal EDNS compliance requirements, check out: https://datatracker.ietf.org/doc/draft-spacek-edns-camel-diet/