DOC RABE Media - Fotolia
DNS Flag Day -- Feb. 1, 2019 -- is fast approaching. But despite heralding a major change for domain name systems, the vast majority of the internet will not be affected by the deprecation of a range of workarounds intended to prevent deeply broken DNS implementations from slowing down the internet.
In computing, backward-compatibility is how the industry prevents flag days. This is what happens when everyone who supports a protocol agrees to upgrade to a new, non-backward-compatible version of that protocol. In the case of DNS Flag Day, up-to-date DNS servers will no longer permit old, unpatched DNS software to treat the Extension Mechanisms for DNS (EDNS(0)) protocol as optional.
This is important because noncompliant servers reduce DNS security for everyone else who wants to use extensions like the DNS Security Extensions protocol, which specifies an authentication mechanism for DNS data to prevent attackers from using fake or manipulated data in attacks like DNS cache poisoning.
EDNS(0) also enables DNS clients and servers to negotiate larger maximum message sizes for UDP messages, which had previously been limited to 512 bytes. This was an important step toward making it possible for the protocol to convey detailed information in response to client requests.
According to the DNS Flag Day website, starting February 1st, "all DNS servers which do not respond at all to EDNS queries are going to be treated as dead." While that may sound scary, the reality is that, for most, the cutover will be uneventful, according to Cricket Liu, chief DNS architect for Infoblox Inc., in this Q&A.
Editor's note: This interview was lightly edited for clarity.
How big a deal is the upcoming DNS Flag Day going to be?
Cricket Liu: On the day of DNS Flag Day, most people are unlikely to see anything. It's unlikely to be noticed by the public at large, I would say.
What do you think the effect will be on people working in enterprise IT, especially those involved in networking, security or managing domains?
Liu: There would only really be impact on them if they happen to be running very old -- and broken -- DNS servers, or if their DNS servers were behind what we refer to as middleboxes that didn't like EDNS(0) -- which is, of course, what this DNS Flag Day is all about.
It's quite easy for those people to determine whether or not they'd be affected by DNS Flag Day: If they go to dnsflagday.net, there's a test that you can run. All you have to do is type in the domain name of one of your zones -- maybe the one that's most important to you -- and it will fire a bunch of queries off at your DNS servers just to make sure that they do accept EDNS(0) flagged queries. If it all shows up green, then you should be in good shape, and DNS Flag Day won't mean anything -- at least to you.
Calling this change a flag day seems extreme considering that flag day events have been rare in internet history. Was the name choice intended to be a red flag to send a particular message or get more attention?
Liu: The name is designed to draw a line in the sand. For a lot of the organizations that are participating in DNS Flag Day -- the ones who develop DNS servers -- the day itself won't have any substantial effect. Things won't change dramatically on February 1st.
For example, let's take the Internet Systems Consortium -- the people who write the BIND [Berkeley Internet Name Domain] domain name server. Basically, they've said that versions of BIND that we release after February 1st are not going to include these workarounds that accommodate really old, broken DNS servers.
But, of course, it takes time for people to adopt new versions of BIND [and] for them to upgrade DNS servers that are out there on the internet. So, for BIND, February 1st probably marks the beginning of a new era, if you will.
On the other hand, the big cloud-based DNS services that are participating -- like Google Public DNS, Quad9 and folks like that -- could actually just flip a switch and all of a sudden say, 'OK, now we're no longer going to accommodate these old and broken DNS servers that don't understand EDNS(0).' If you're a user of Cisco's Umbrella or Quad9 or Google Public DNS, you might potentially see some sort of an impact. But, again, we anticipate that that will be a very small thing.
We were talking with Petr Špaček just this morning. He works for CZ.NIC, which is the Czech network information center, and their estimate of what percentage of zones actually have this particular problem -- [that] are served by servers that don't understand EDNS(0) -- it's a fraction of 1%. He said it was like 0.12%, I think.
He said, in their testing, that of the zones that actually have this particular problem in that tiny fraction of 1%, most of them are parked anyway. They're not zones that are going to be visited by a lot of people.
What else should people know about DNS Flag Day?
Liu: They should keep it in context. Not having EDNS(0) support in this day and age or having the kind of broken support that we have to work around, that shows that you're really not paying attention to the standards.
EDNS(0) has been around since 1999, so you've had 20 years to get your act together, and if you haven't done it, it's likely you're not going to do it. All of us have paid the price for this. All of us have dealt with DNS resolution problems brought on by the sorts of accommodations that recursive DNS servers have to make of these broken, authoritative DNS servers.
Dig Deeper on IPv6 security and network protocols security
Related Q&A from Peter Loshin
Attackers expect incident response strategies and have a plan for when they encounter them. Find out how to take IR to the next level against ... Continue Reading
Internet email was designed independent of security considerations, but these are the top email security protocols that add mechanisms to keep ... Continue Reading
Password spraying isn't a sophisticated attack, but don't discount the attackers if you detect one. Find out how this brute-force technique works and... Continue Reading