DNS flag day

Starting on February 1st, the developers of several of the most commonly used resolver software distributions (e.g. BIND, PowerDNS, unbound) will remove existing workarounds for handling misconfigured or broken authoritative name servers. Also, the operators of several popular open recursive resolver services have announced that they will make use of the new software for their services. This affect the end users’ ability to access services associated with Norwegian domain names.

Work on a standardized extension mechanism (EDNS) for the DNS protocol started more than 20 years ago. Still, one can find non-compliant name server software in operation, or network elements (e.g. load balancers, firewalls, routers with traffic filters) that will break the EDNS protocol extension. Throughout the years, resolver developers have coded workarounds for broken name server behavior into their software products. These workarounds have in the end become cumbersome to maintain, and they tend to hinder the introduction of new extensions. The developers of recursive resolver software have therefore collectively agreed to remove the workarounds from software versions released after February 1st 2019. Authoritative name servers, and their surrounding network elements, shall hereafter have to comply with the EDNS protocol standards.

The upcoming changes to the recursive name server behavior may affect Norwegian DNS providers and their customers. Norid therefore urges the registrars to check their own authoritative name servers, and if possible, also their customers’ name servers, and verify that they all behave correctly.

See the “DNS flag day” webpages for more information. Also, the ISC offers both more technical information as well as a testing tool.

Last updated 16 January 2019