[GTER] DNS Providers to Cease Implementing DNS Resolver Workarounds

Luciano S. dos Santos lucianosds at gmail.com
Fri Feb 1 14:02:40 -02 2019


Boa materia. Tem algum material sobre o que precisa ser alterado nos
servidores? Ou qual a versão mínima suportada?

On Fri, Feb 1, 2019 at 11:57 AM Lucimara Desiderá <lucimara at cert.br> wrote:

>
>
> https://www.securityweek.com/dns-providers-cease-implementing-dns-resolver-workarounds
>
> DNS Providers to Cease Implementing DNS Resolver Workarounds
> By Ionut Arghire on January 30, 2019
>
>
> Starting on February 1, 2019, a number of DNS software and service
> providers will cease implementing DNS resolver workarounds for systems
> that don’t follow the Extensions to DNS (EDNS) protocol.
>
> Intended for DNS Flag Day, the switch should solve two major problems
> DNS has at the moment due to these workarounds: slower responses to DNS
> queries and the difficulty of deploying new DNS protocol features such
> as improved distributed denial of service protections.
>
> Although the Extension Mechanisms for DNS were specified in 1999 to
> establish rules for responding to queries with EDNS options or flags,
> some implementations continue to violate the rules. To address
> interoperability issues, DNS software developers implemented workarounds
> for non-standard behaviors.
>
> “These workarounds excessively complicate DNS software and are now also
> negatively impacting the DNS as a whole,” the Internet Systems
> Consortium (ISC) points out.
>
> To address the problem, some organizations have agreed to update their
> software or systems to cease implementing said workarounds in software
> set to be released around DNS Flag Day. These include ISC (in BIND 9.14
> stable), CZ NIC (in Knot Resolver 3.3.0 – it has stricter EDNS handling
> in all current versions), NLNET Labs (in Unbound 1.8.4, 1.9.0 and
> newer), and PowerDNS (PowerDNS recursor 4.2).
>
> Organizations supporting the initiative include Cisco, CleanBrowsing,
> Cloudflare, Facebook, Google, Quad9, and the aforementioned software
> vendors of DNS software and public DNS providers.
>
> “To ensure further sustainability of the system it is time to end these
> accommodations and remediate the non-compliant systems. This change will
> make most DNS operations slightly more efficient, and also allow
> operators to deploy new functionality, including new mechanisms to
> protect against DDoS attacks,” the initiative’s GitHub page reveals.
>
> This change is expected to have impact on sites operating non-compliant
> software only. Internet users with their own domain names will be
> affected only indirectly and won’t need to take specific action.
>
> “Domains served by DNS servers that are not compliant with the standard
> will not function reliably when queried by resolvers that have been
> updated to the post-Flag Day version, and may become unavailable via
> those updated resolvers,” ISC points out.
>
> Organizations with DNS zones served by non-compliant servers will see
> their online presence slowly degrade or disappear when ISPs and other
> organizations update their resolvers. Organizations switching internal
> DNS resolvers to versions that don’t implement workarounds might
> experience issues with sites and email servers becoming unreachable.
>
> Operators of DNS authoritative systems are advised to check their own
> domain at https://dnsflagday.net/ to ensure they are EDNS-compliant.
> Common issues emerge from firewalls blocking EDNS traffic and old DNS
> servers requiring upgrades.
>
>
> --
> gter list    https://eng.registro.br/mailman/listinfo/gter
>


-- 


[image: --]

Luciano Santos
[image: https://]about.me/luciano_santos
<https://about.me/luciano_santos?promo=email_sig&utm_source=email_sig&utm_medium=email_sig&utm_campaign=external_links>



More information about the gter mailing list