Second DNS Flag Day planned

"One more improvement to the internet"

On 1 February, DNS resolver software developers and major operators ended support for badly configured and outmoded DNS servers. Resolver software versions published since that date -- known as DNS Flag Day -- haven't included workarounds for servers that don't comply with EDNS. Introduced twenty years ago, EDNS is an extension to the DNS protocol that facilitates DNSSEC use. It also helps to secure DNS information and provides for further extension of the DNS.

The findings of an evaluation of the clean up operation have now been published and a second DNS Flag Day is being planned. A joint analysis by NLnet Labs, SIDN and the Rochester Institute of Technology has found that, in the four months after DNS Flag Day, strict resolvers went from being 15 per cent of the total resolver park to 42 per cent. The figure now stands at 44 per cent. As the chart below shows, Google's Public DNS service accounts for the lion's share of the rise.

More info about the impact of the first DNS Flag Day is available in a blog van APNIC.

DNS Flag Day 2020

Planning for a second DNS Flag Day has now started. The date has yet to be fixed, but the intention is that in 2020 resolver software developers will end support for fragmented DNS UDP packets. As a result, the EDNS buffer size will be limited to roughly 1220 bytes; the exact limit hasn't yet been decided. Servers will also have to be correctly configured to fall back to TCP for the transmission of larger packets. On today's internet, IP fragmentation is unreliable and liable to cause transmission problems when large DNS packets are transmitted using UDP. Fragmented packages are also vulnerable to spoofing, at least in theory. Only a small percentage of servers -- such as those that aren't correctly configured for DNS over TCP -- are likely to be affected by the change. Authoritative DNS servers can already be tested using a tool published by ISC and available on the developers' site. A web-based test tool for clients and resolvers is still under development.