DOC RABE Media - Fotolia

Q
Manage Learn to apply best practices and optimize your operations.

Will DNS Flag Day affect you? Infoblox's Cricket Liu explains

What is DNS Flag Day? That's when old and broken DNS servers will stop working, improving DNS performance and safety for all. Infoblox's chief DNS architect Cricket Liu explains.

DNS Flag Day -- Feb. 1, 2019 -- is fast approaching. But despite heralding a major change for domain name systems, the vast majority of the internet will not be affected by the deprecation of a range of workarounds intended to prevent deeply broken DNS implementations from slowing down the internet.

In computing, backward-compatibility is how the industry prevents flag days. This is what happens when everyone who supports a protocol agrees to upgrade to a new, non-backward-compatible version of that protocol. In the case of DNS Flag Day, up-to-date DNS servers will no longer permit old, unpatched DNS software to treat the Extension Mechanisms for DNS (EDNS(0)) protocol as optional.

This is important because noncompliant servers reduce DNS security for everyone else who wants to use extensions like the DNS Security Extensions protocol, which specifies an authentication mechanism for DNS data to prevent attackers from using fake or manipulated data in attacks like DNS cache poisoning.

EDNS(0) also enables DNS clients and servers to negotiate larger maximum message sizes for UDP messages, which had previously been limited to 512 bytes. This was an important step toward making it possible for the protocol to convey detailed information in response to client requests.

According to the DNS Flag Day website, starting February 1st, "all DNS servers which do not respond at all to EDNS queries are going to be treated as dead." While that may sound scary, the reality is that, for most, the cutover will be uneventful, according to Cricket Liu, chief DNS architect for Infoblox Inc., in this Q&A.

Editor's note: This interview was lightly edited for clarity.

How big a deal is the upcoming DNS Flag Day going to be?

Cricket Liu, chief DNS architect, InfobloxCricket Liu

Cricket Liu: On the day of DNS Flag Day, most people are unlikely to see anything. It's unlikely to be noticed by the public at large, I would say.

What do you think the effect will be on people working in enterprise IT, especially those involved in networking, security or managing domains?

Liu: There would only really be impact on them if they happen to be running very old -- and broken -- DNS servers, or if their DNS servers were behind what we refer to as middleboxes that didn't like EDNS(0) -- which is, of course, what this DNS Flag Day is all about.

It's quite easy for those people to determine whether or not they'd be affected by DNS Flag Day: If they go to dnsflagday.net, there's a test that you can run. All you have to do is type in the domain name of one of your zones -- maybe the one that's most important to you -- and it will fire a bunch of queries off at your DNS servers just to make sure that they do accept EDNS(0) flagged queries. If it all shows up green, then you should be in good shape, and DNS Flag Day won't mean anything -- at least to you.

Calling this change a flag day seems extreme considering that flag day events have been rare in internet history. Was the name choice intended to be a red flag to send a particular message or get more attention?

Liu: The name is designed to draw a line in the sand. For a lot of the organizations that are participating in DNS Flag Day -- the ones who develop DNS servers -- the day itself won't have any substantial effect. Things won't change dramatically on February 1st.

EDNS(0) has been around since 1999, so you've had 20 years to get your act together, and if you haven't done it, it's likely you're not going to do it.

For example, let's take the Internet Systems Consortium -- the people who write the BIND [Berkeley Internet Name Domain] domain name server. Basically, they've said that versions of BIND that we release after February 1st are not going to include these workarounds that accommodate really old, broken DNS servers.

But, of course, it takes time for people to adopt new versions of BIND [and] for them to upgrade DNS servers that are out there on the internet. So, for BIND, February 1st probably marks the beginning of a new era, if you will.

On the other hand, the big cloud-based DNS services that are participating -- like Google Public DNS, Quad9 and folks like that -- could actually just flip a switch and all of a sudden say, 'OK, now we're no longer going to accommodate these old and broken DNS servers that don't understand EDNS(0).' If you're a user of Cisco's Umbrella or Quad9 or Google Public DNS, you might potentially see some sort of an impact. But, again, we anticipate that that will be a very small thing.

We were talking with Petr Špaček just this morning. He works for CZ.NIC, which is the Czech network information center, and their estimate of what percentage of zones actually have this particular problem -- [that] are served by servers that don't understand EDNS(0) -- it's a fraction of 1%. He said it was like 0.12%, I think.

He said, in their testing, that of the zones that actually have this particular problem in that tiny fraction of 1%, most of them are parked anyway. They're not zones that are going to be visited by a lot of people.

What else should people know about DNS Flag Day?

Liu: They should keep it in context. Not having EDNS(0) support in this day and age or having the kind of broken support that we have to work around, that shows that you're really not paying attention to the standards.

EDNS(0) has been around since 1999, so you've had 20 years to get your act together, and if you haven't done it, it's likely you're not going to do it. All of us have paid the price for this. All of us have dealt with DNS resolution problems brought on by the sorts of accommodations that recursive DNS servers have to make of these broken, authoritative DNS servers.

Dig Deeper on IPv6 security and network protocols security

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

4 comments

Send me notifications when other members comment.

Please create a username to comment.

What has your organization done to prepare for DNS Flag Day?
Cancel
The first fix any organization should try is to ensure TCP port 53 is also open to their public DNS servers, not just UDP port 53.  Many DNS implementations are compliant but fail on the TCP test.
Cancel
I found this:

"This document therefore updates the core DNS protocol specifications such that support for TCP is henceforth a REQUIRED part of a full DNS protocol implementation."

in RFC 7766, "DNS Transport over TCP - Implementation Requirements", which is a Standards Track (Proposed Standard) specification.

Also, this:

"All general-purpose DNS implementations MUST support both UDP and TCP transport."

I'm not an expert in this stuff, but it seems pretty clear that compliant DNS implementations are required to open TCP port 53. 

However, the authors do note:

"The majority of DNS server operators already support TCP, and the default configuration for most software implementations is to support TCP."
Cancel
Is this a 6 month old article, or is the date a typo? Feb 2019 was 6 months ago.
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close