Are You Ready For DNS Flag Day?

Long-time Slashdot reader syn3rg quotes the DNS Flag Day page: The current DNS is unnecessarily slow and suffers from inability to deploy new features. To remediate these problems, vendors of DNS software and also big public DNS providers are going to remove certain workarounds on February 1st, 2019.

This change affects only sites which operate software which is not following published standards. Are you affected?
The site includes a form where site owners can test their domain -- it supplies a helpful technical report about any issues encountered -- as well as suggestions for operators of DNS servers and DNS resolvers, researchers, and DNS software developers. The Internet Systems Consortium blog also has a list of the event's supporters, which include Google, Facebook, Cisco, and Cloudflare, along with some history. "Extension Mechanisms for DNS were specified in 1999, with a minor update in 2013, establishing the 'rules of the road' for responding to queries with EDNS options or flags. Despite this, some implementations continue to violate the rules.

"DNS software developers have tried to solve the problems with the interoperability of the DNS protocol and especially its EDNS extension by various workarounds for non-standard behaviors... These workarounds excessively complicate DNS software and are now also negatively impacting the DNS as a whole. The most obvious problems caused by these workarounds are slower responses to DNS queries and the difficulty of deploying new DNS protocol features. Some of these new features (e.g. DNS Cookies) would help reduce DDoS attacks based on DNS protocol abuse....

"Our goal is a reliable and properly functioning DNS that cannot be easily attacked."

Long Overdue

[Anonymous Coward]

Carry on...

Re:

[Cutterman]

My HOSTS files are pretty large.
Helps me avoid all sorts of trash and malware.

Mac

Re:

[godel_56]

My HOSTS files are pretty large. Helps me avoid all sorts of trash and malware.

Mac

So why are you still on Slashdot?

Re:

[Cutterman]

Good question

Ok, I'll sorta survive

[bobstreo]

Unfortunately, I don't host the DNS for most of my stuff.

Hopefully the dynamic DNS hosting service I use will update their software at some point.

Re:

[93 Escort Wagon]

Well, based on the linked site... it seems eerily like scaremonging.

They list one possibility is indeed “may not work”, but that’s alongside “slower than it should be”. But they say current DNS is already slower than it should be, so reading between the lines I’m going to guess that just about no one is actually going to see anything change.

Re:Ok, I'll sorta survive

[gmack]

Not necessarily. One of the current workarounds is to detect that something failed and disable the extended features. If they stop doing that, then certain requests will simply fail. I can name a few firewall vendors that still don't allow DNS packets large enough to allow EDNS by default.

Re:

[gmack]

So this is less a worry about what my webhosting provider is going to do, and more what my corporate firewalls are going to fail on.

Correct. Webhosting providers have users who spazz on them when anything is slow. Corporate IT just don't have the same motivation. Mind you, I don't doubt for a moment that some corporate websites will also be affected. The number of big name corps with bad firewall configs on their public hosted side is frightening.

Actually DNSSEC is part of this

[raymorris]

Actually this is about DNS extensions, or EDNS. Guess what the original DNS extension was? You got it, DNSSEC. Guess what DNSSEC does? Yep, it prevents a man-in-the-middle altering DNS responses, which in turn makes further MITM more difficult.

Let's do our part

[Anonymous Coward]

I'm doing my part by reducing the load on DNS servers. Block ads and put the worthwhile sites like your bookmarks and frequent sites into your hosts file or cache.

By the way, I went to the site of my local car dealer today to set up an appointment for service. Thirty two sites tried to run scripts. The site worked with only 3 allowed.

Whatever happened to DNS over DNS?

[WoodstockJeff]

Skimming over the links provided, it seems that the main problem is that DNS protocol isn't being used just for DNS. And if you're running a DNS resolver that just understands how to return IPs for host names, you're an impediment to the ultimate goal, to be able to implement emacs over DNS.

roperly functioning DNS?

[Anonymous Coward]

Sorry, can't have that unless everybody does their own caching and we get rid of for profit registrars.But really we need something completely different. Something that no authority of any kind can control. We need to cut our tether to the ISP, so no government can control access.

Re:

[jaredmauch]

This isn't related to that at all, it's not about the registrar and registry system. (You can thank ICANN for that). This is about software that has to workaround several types of bugs or legacy behavior. Imagine if your web browser still had to parse those gopher:// [gopher] links

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[jaredmauch]

This isn't related to that, there's features like EDNS cookies just like you have TCP cookies to help prevent DDoS and other things. It's fine if you don't upgrade, but what will happen is you may not work as the DNS industry is doing the same thing as IPv6 day and IPv6 launch and standing together saying "we are removing all the workarounds for non-standards compliant and buggy servers".

Assertions and no information.

[shess]

AFAICT, this posting and the linked articles are just a collection of assertions about how bad things are and how important this work is, with no actual information about how bad things are and how important this work is. In my experience when someone runs around saying things like this, it actually means that it's NOT that bad, and it's NOT that important, and they're just trying to scare people into moving in whatever direction they haven't been able to convince them to move in using actual data.

Fake news...

[jtara]

... is what could result, because cnn.com is not compliant.

Testing completed:
cnn.com: Minor problems detected!

This domain is going to work after the 2019 DNS flag day BUT it does not support the latest DNS standards. As a consequence this domain cannot support the latest security features and might be an easier target for network attackers than necessary, and might face other issues later on. We recommend your domain administrator to fix issues listed in the following
technical report https://ednscomp.isc.or [isc.org]

workarounds?

[humankind]

I'm curious what features are being added/removed?

One thing I'd like to see in a formal DNS configuration, is the ability to map an A record to a CNAME alias.

I know that some of the top level hosting companies like Cloudflare, have their own hacked DNS that adds that functionality so they can perform load balancing. In turn, they often demand complete control of the nameservers for domains they host, which I don't think is a good idea. Hopefully these changes will address this situation?

Re:

[jaredmauch]

What you're asking for is what's known as an APEX CNAME. Some DNS providers provide this sort of faux support (I think Cloudflare and Route53 do this) via some wizardry. There is an active discussion in the DNSOP WG at the IETF about this. Come join the madness!

Re:

[bobstreo]

I have 10 or so non localhost entries in my hosts file. My resolution (/etc/nsswitch.conf) order is files, dns so when my Internet is down, I can still get to my local resources for NAS/tv box/DB Server/Security robot... access.'