[GTER] DNS Providers to Cease Implementing DNS Resolver Workarounds
Lucimara Desiderá
lucimara at cert.br
Fri Feb 1 11:55:03 -02 2019
https://www.securityweek.com/dns-providers-cease-implementing-dns-resolver-workarounds
DNS Providers to Cease Implementing DNS Resolver Workarounds
By Ionut Arghire on January 30, 2019
Starting on February 1, 2019, a number of DNS software and service
providers will cease implementing DNS resolver workarounds for systems
that don’t follow the Extensions to DNS (EDNS) protocol.
Intended for DNS Flag Day, the switch should solve two major problems
DNS has at the moment due to these workarounds: slower responses to DNS
queries and the difficulty of deploying new DNS protocol features such
as improved distributed denial of service protections.
Although the Extension Mechanisms for DNS were specified in 1999 to
establish rules for responding to queries with EDNS options or flags,
some implementations continue to violate the rules. To address
interoperability issues, DNS software developers implemented workarounds
for non-standard behaviors.
“These workarounds excessively complicate DNS software and are now also
negatively impacting the DNS as a whole,” the Internet Systems
Consortium (ISC) points out.
To address the problem, some organizations have agreed to update their
software or systems to cease implementing said workarounds in software
set to be released around DNS Flag Day. These include ISC (in BIND 9.14
stable), CZ NIC (in Knot Resolver 3.3.0 – it has stricter EDNS handling
in all current versions), NLNET Labs (in Unbound 1.8.4, 1.9.0 and
newer), and PowerDNS (PowerDNS recursor 4.2).
Organizations supporting the initiative include Cisco, CleanBrowsing,
Cloudflare, Facebook, Google, Quad9, and the aforementioned software
vendors of DNS software and public DNS providers.
“To ensure further sustainability of the system it is time to end these
accommodations and remediate the non-compliant systems. This change will
make most DNS operations slightly more efficient, and also allow
operators to deploy new functionality, including new mechanisms to
protect against DDoS attacks,” the initiative’s GitHub page reveals.
This change is expected to have impact on sites operating non-compliant
software only. Internet users with their own domain names will be
affected only indirectly and won’t need to take specific action.
“Domains served by DNS servers that are not compliant with the standard
will not function reliably when queried by resolvers that have been
updated to the post-Flag Day version, and may become unavailable via
those updated resolvers,” ISC points out.
Organizations with DNS zones served by non-compliant servers will see
their online presence slowly degrade or disappear when ISPs and other
organizations update their resolvers. Organizations switching internal
DNS resolvers to versions that don’t implement workarounds might
experience issues with sites and email servers becoming unreachable.
Operators of DNS authoritative systems are advised to check their own
domain at https://dnsflagday.net/ to ensure they are EDNS-compliant.
Common issues emerge from firewalls blocking EDNS traffic and old DNS
servers requiring upgrades.
More information about the gter
mailing list