The 1st of February was DNS Flag Day, which is an initiative of several DNS vendors and operators to address the problems of DNS name server implementations that are not in compliance with long-established DNS standards. This is causing the DNS to not only be unnecessarily slow and inefficient, but prevent operators from deploying new functionality including mechanisms to protect against DDoS attacks.
DNSSEC and other extended features of the DNS require EDNS0 (Extension Mechanisms for DNS – RFC 6891), and properly implemented name servers should either reply with an EDNS0 compliant response, or provide a regular DNS response if they don’t understand.
However, a lot of name server software is not implemented properly which has meant resolvers have had to incorporate workarounds when name servers don’t respond correctly. These cause unnecessary retries, delays, and prevent the newer features of the DNS being used.
As a result, the vendors of the most commonly used DNS software (BIND, Ubound, PowerDNS and Knot) will no longer be supporting these workarounds in new versions of their software, whilst a number of public DNS resolver operators (CleanBrowsing, Cloudflare, Google and Quad9) will no longer resolve hostnames served by broken name server implementations.
This may mean Continue reading