Second DNS Flag Day planned

"One more improvement to the internet"

On 1 February, DNS resolver software developers and major operators ended support for badly configured and outmoded DNS servers. Resolver software versions published since that date -- known as DNS Flag Day -- haven't included workarounds for servers that don't comply with EDNS. Introduced twenty years ago, EDNS is an extension to the DNS protocol that facilitates DNSSEC use. It also helps to secure DNS information and provides for further extension of the DNS.

The findings of an evaluation of the clean-up operation have now been published and a second DNS Flag Day is being planned. A joint analysis by NLnet Labs, SIDN and the Rochester Institute of Technology has found that, in the four months after DNS Flag Day, strict resolvers went from being 15 per cent of the total resolver park to 42 per cent. The figure now stands at 44 per cent. As the chart below shows, Google's Public DNS service accounts for the lion's share of the rise.

APNIC-FlagDay img3
APNIC-FlagDay img4

More info about the impact of the first DNS Flag Day is available in a blog van APNIC.

DNS Flag Day 2020

Planning for a second DNS Flag Day has now started. The date has yet to be fixed, but the intention is that in 2020 resolver software developers will end support for fragmented DNS UDP packets. As a result, the EDNS buffer size will be limited to roughly 1220 bytes; the exact limit hasn't yet been decided. Servers will also have to be correctly configured to fall back to TCP for the transmission of larger packets. On today's internet, IP fragmentation is unreliable and liable to cause transmission problems when large DNS packets are transmitted using UDP. Fragmented packages are also vulnerable to spoofing, at least in theory. Only a small percentage of servers -- such as those that aren't correctly configured for DNS over TCP -- are likely to be affected by the change. Authoritative DNS servers can already be tested using a tool published by ISC and available on the developers' site. A web-based test tool for clients and resolvers is still under development.

Comments

  • Tuesday 18 June 2019

    News

    Meet SIDN at the Chamber of Commerce Start-ups Day in Utrecht

    KVK Startersdag

    On Saturday 22 June between 10am and 4pm

    Read more
  • Friday 19 April 2019

    News

    Don't disable IPv6!

    Thumb-close-up-switch-on-off

    It's a quick fix that stores up problems for later

    Read more
  • Tuesday 27 March 2018

    Weblog

    Keeping the DNS independent and resilient

    Thumb-DNS

    Research into concentration within the DNS, the consequences and possible solutions

    Read more

Sorry

Your browser is too old to optimally experience this website. Upgrade your browser to improve your experience.