Second DNS Flag Day planned

"One more improvement to the internet"

On 1 February, DNS resolver software developers and major operators ended support for badly configured and outmoded DNS serversLink opens in new tab. Resolver software versions published since that date -- known as DNS Flag DayLink opens in new tab -- haven't included workarounds for servers that don't comply with EDNSLink opens in new tab. Introduced twenty years ago, EDNS is an extension to the DNS protocol that facilitates DNSSEC use. It also helps to secure DNS information and provides for further extension of the DNS.

The findings of an evaluation of the clean up operationLink opens in new tab have now been publishedLink opens in new tab and a second DNS Flag Day is being planned. A joint analysis by NLnet Labs, SIDN and the Rochester Institute of Technology has found that, in the four months after DNS Flag Day, strict resolvers went from being 15 per cent of the total resolver park to 42 per cent. The figure now stands at 44 per cent. As the chart below shows, Google's Public DNS service accounts for the lion's share of the rise.

More info about the impact of the first DNS Flag Day is available in a blog van APNICLink opens in new tab.

DNS Flag Day 2020

Planning for a second DNS Flag DayLink opens in new tab has now started. The date has yet to be fixed, but the intention is that in 2020 resolver software developers will end support for fragmented DNS UDP packetsLink opens in new tab. As a result, the EDNS buffer size will be limited to roughly 1220 bytesLink opens in new tab; the exact limit hasn't yet been decided. Servers will also have to be correctly configured to fall back to TCP for the transmission of larger packets. On today's internet, IP fragmentation is unreliable and liable to cause transmission problems when large DNS packets are transmitted using UDP. Fragmented packages are also vulnerable to spoofing, at least in theory. Only a small percentage of servers -- such as those that aren't correctly configured for DNS over TCP -- are likely to be affected by the change. Authoritative DNS serversLink opens in new tab can already be tested using a tool published by ISCLink opens in new tab and available on the developers' siteLink opens in new tab. A web-based test tool for clients and resolversLink opens in new tab is still under development.