Jan 2, 2019

Jan 2, 2019

DNS Flag Day - February 1, 2019

On Friday, February 1, 2019,what's being called "DNS Flag Day" will come to pass.

On DNS Flag Day, DNS software and service providers will roll out updates to remove existing DNS resolver workarounds that allows users to bypass the Extension Mechanisms Protocol (EDNS) for DNS, to ensure compliance with the original DNS standard from 1987 (RFC1035) and the newer EDNS standards from 1999 (RFC2671) and (RFC6891).

Why are they doing this?

In the early 80s when the Domain Name System (DNS) got born, the networking was a lot smaller and a lot different than it is today. At that time the Domain Name System (DNS) had not yet become the backbone technology of the Internet as we know it today. As the years went by and the Internet grew, the Domain Name System (DNS) has grown alongside it, undergoing several evolutionary steps to be able to meet the Internet's requirements and standards at any given time. This effort is simple yet another evolutionary step in the Domain Name System (DNS) history, required to meet today's Internet standard.

To meet today's standards and requirements major Open Source DNS Software providers along with a number of other organizations, social networks and search engine giants have joined forces and declared a flag day, after which the Domain Name System (DNS) software will no longer support those workarounds which are causing slower responses to DNS queries and make it harder to implement new features. On that day they will cease accommodating DNS software vendors and DNS service providers that do not comply with the published DNS standard behaviour when interacting with other servers.

Why should I care?

If you, your organizations or company own a domain and that domain is being hosted on authoritative server which is in violation of the published DNS standard, that domain will gradually become inaccessible on the Internet through domain name lookups.

What do I need to do?

The first thing to do is to make sure that the authoritative DNS server for your domain(s) responds correctly.
To see if your authoritative DNS server for your domain(s) are compliant, head to the DNS Flag Day website and enter in the form below "I'm a domain holder" your domain and click on the test button.
If you get "All OK" no further action is required.If you get "Fatal error detected" you should contact your domain(s) technical contact and or DNS service provider in charge of managing the DNS software used by your domain name(s) and have them ensure it is fully updated and compliant with the EDNS protocol requirement and there no misconfiguration with the firewall, intrusion detection system and intermediate devices, such as routers, switches which may also result in compliance failures.

Additional resources and references

DNS Flag Day website

Blog on DNS Flag Day

Earlier blog on EDNS fallback behavior

Blog on EDNS compliance issue

Presentation on DNS Flag Day on UKNOF, January 15th, 2019

KB article – DNS Flag Day, How Will it Impact You?

KB article – DNS Flag Day, Notes for Authoritative servers

KB article – EDNS compatibility tests and status codes


Leave a message and we will reply as soon as we can.

Message received