Interview with Hugo Salgado (.CL): DNS Flag Day


Hugo SalgadoWhat is the DNS Flag Day?

When the IETF published the EDNS standard as an extension to the DNS, back in 1999, the behavior that the authoritative servers should follow from that moment on was defined. The EDNS standard was “retrocompatible”, namely, it allowed the old DNS servers to continue working, but it clearly defined how the new versions that implement EDNS should behave.

Since then, every year, DNS servers that were incompatible with the standard appeared, as well as some “halfway” devices practices (such as firewalls, traffic inspectors, etc.). These would interrupt the proper functioning of EDNS.

At that time, the “resolver” software manufacturers began to place “patches” on their systems to allow their operation with those incompatible DNS servers. It would have been expected that this software would fail to converse with these DNS because they were not responding correctly. However, through the “patches” placement, it was decided to overcome these problems in order to favor the robustness of the DNS system and to allow a prudent time for the Internet development.

Nevertheless, after twenty years of this type of responses, there are several claims asking that the standard should be respected in a more rigorous way. Protocol errors are not only maintained but become increasingly serious, mainly as a result of a misunderstood alleged “security practice”.

Due to the existence of these “patches”, the manufacturers of resolving software are forced to maintain old, inefficient and always changing codes to be able to respond to new errors. Additionally, by making software maintenance more complex, they are subject to constant bugs.

Also, these incompatible DNS servers create barriers to the innovation and to the inclusion of modern DNS features.

Given the above, the main DNS resolver software manufacturers met and agreed to stop supporting DNS servers that do not respect the standard as of February 1, 2019. Since then, all new versions of their software will not include the “patches” and, consequently, will fail to resolve domain names that are being served incorrectly.

What is the EDNS standard?

The EDNS is an extension to the original DNS protocol, made in 1999, which allows new functionalities to be included in classic DNS messages.

In 1999, it was detected that a modern DNS would need new functions that could not be codified in the original DNS. Consequently, the EDNS was designed as a set of signals that allow to extend the functionalities of the DNS.

DNSSEC, DNS geolocation and other security improvements such as cookies in the DNS are possible thanks to the implementation of EDNS.

What are the effects of the “interim patches” in EDNS? How will the DNS Flag Day impact on these “patches”?

The patches will disappear from the new versions, thus, domain names that until February 1, 2019 “worked” could stop doing so.

These “patches” allowed the resolution of a domain name even when it was living in a non-standard DNS server.

Who should be attentive to the changes that will be implemented as of February 1, 2019? What measures should be taken regarding these changes?

The ISPs, hosting companies, among others, should take measures regarding these changes.

Those who maintain domain names on their authoritative DNS servers should review them with the indicated tools and correct their errors.

Users who do not maintain DNS but do have domain names can also check and go to their DNS company in case of error to demand its repair.

More information.