DNS Flag Day - Feb 1, 2019

Victoria Risk vicky at isc.org
Thu Jan 24 17:49:01 UTC 2019


ISC has joined with the other major open source DNS publishers in an effort to upgrade the DNS by removing workarounds for older, ‘broken’ DNS implementations.  We have all committed to having versions of our software available that remove these workarounds by February 1, 2019.  This industry initiative is described on the web site at https://dnsflagday.net and on the ISC blog at https://www.isc.org/blogs/dns-flag-day/ .

We expect the actual impact of DNS Flag Day will be seen only gradually, and will be limited to older (mostly Microsoft) DNS servers and installations with overly aggressive DNS firewall rules.  

You might be wondering what you should do.  We have published  a new KB article on this topic: https://kb.isc.org/docs/dns-flag-day-will-it-affect-you <https://kb.isc.org/docs/dns-flag-day-will-it-affect-you>

Authoritative System Operators
BIND authoritative servers are and have been fully compliant for many years, and all currently supported versions of BIND are compliant as authoritative systems. However, you might wish to test a few of your zones to ensure your firewalls are not blocking EDNS traffic. You can test this at either the https://dnsflagday.net site, or at ednscomp.isc.org.  These hosted tests are very busy right now. You can also run many of the same tests using dig (see https://kb.isc.org/docs/edns-compatibility-dig-queries) or if you want to test a number of domains, you can download and install the edns compliance test tool yourself https://gitlab.isc.org/isc-projects/DNS-Compliance-Testing.

Resolver Operators
BIND resolvers have been doing workarounds for non-BIND non-compliant authorities for years. These consist of retrying without EDNS and other similar work arounds.  Resolver operators won’t see a change until they update to a version of BIND that removes the workarounds. BIND 9.14.0 will remove those workarounds: the feature change has been available to development users in BIND 9.13.4 for a while.  

If you have questions, please feel free to post on bind-users at lists.isc.org so we can answer them where everyone will see the answers.

Thank you!

Victoria Risk
Product Manager
Internet Systems Consortium
vicky at isc.org





-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-announce/attachments/20190124/e572e55d/attachment.html>


More information about the bind-announce mailing list