DNS Flag Day, the day that can ‘break’ the internet. What happens on that day and why?
A bit of history
The Domain Name System or DNS was conceived at a time when the internet was young. The protocols of that time exuded confidence in one’s fellow man, and security lingered in the background. Gradually, however, awareness grew that the DNS had to become more robust and contain more functions in the messages that it exchanged.
Thus, in 1999, EDNS or Extension mechanisms for DNS came into being. The advent of EDNS made DNSSEC, DNS geolocation and other security measures such as cookies in the conventional DNS messages possible. Every transition is difficult, however. Some existing firewalls or DNS implementations are not updated or they incorrectly implement the EDNS standard, causing workarounds/patches needed by the recursive resolvers to keep supporting them.
Need for standardisation
In the meantime, we are 20 years hence, and the weight of all these patches is starting to exact a heavy toll. Patches on patches, year after year – the maintenance of such patched software is becoming increasingly more complex and leading to (at times dangerous) bugs. These tools cause a slow response time and stand in the way of innovation. There is consequently an urgent need for everyone to follow the standards, otherwise it will be difficult to withstand the new threats, such as DNS amplification, DNS flood and Layer 7 attacks.
Various major IT players, including the developers of the various recursive resolvers, met and agreed that as of 1 February 2019, they would no longer support DNS servers which do not comply with the EDNS standard. All new versions of their software will not include the backward compatible patches, so there is a danger that domain names will no longer be ‘resolved’ as of that date. This entails a serious risk: no domain name, no website!
What does DNS Flag Day mean in concrete terms for you?
Your domain name may no longer support the latest security measures such as DNSSEC, and your website becomes an easy target for attackers. In concrete terms this means that all DNS servers, which are not compatible with the EDNS standard or which are broken due to a not EDNS compatible firewall in the path, are considered ‘dead’ and your domain name can no longer function as a result.
How to prepare for DNS Flag Day
Organisations such as ISPs, hosting companies and others have to test their current domain as well as their DNS servers. Tools are available to that end on the DNS Flag Day website. Furthermore, as a normal user, you can already check whether your domain name is compliant through a simple test on the same website.
The answer will hopefully be a fine “All OK” and a green “GO.” If that is not the case, contact your hosting company. There might be something wrong with the non-working DNS software or a broken Firewall configuration. An update of the DNS software to the latest stable version will probably remedy the situation.