1 October of the accursed year 2020 is DNS Flag Day again. The idea behind it is to make DNS protocol (Domain Name System) more secure, reliable and robust thanks to a coordinated effort of the participating DNS players. This year DNS Flag Day is about preventing IP fragmentation.
Why should DNS evolve?
The Domain Name System or DNS dates back to the early days of the internet. The old protocols were based on trust, and security was a secondary concern. However, gradually it dawned on us that the DNS had to become more robust and contain more functions in the messages it exchanged.
And this is how, in 1999, EDNS or Extension mechanisms for DNS was created. The arrival of EDNS also made DNSSEC , DNS geolocation and other security measures possible, such as cookies in the classic DNS messages. However, every transition is hard. Some existing firewalls or DNS implementations were not updated or the EDNS standard was installed incorrectly. To continue supporting them, the recursive resolvers created workarounds/patches.
Extension mechanism for DNS (EDNS) is an extension on the DNS protocol that allows sending bigger DNS answers and setting new parameters. This was necessary because the DNS protocol is limited to 512 bytes and because newer techniques such as, for example, DNSSEC require new parameters and bigger packets.
EDNS has introduced a new resource record, OPT, for this but still retains backward-compatibility. The OPT record offers DNS the possibility of extra flags, response codes and labels. The size of the DNS UDP packet is also shown in here.
Need for standardising
For 20 years these patches have been piling up. It is becoming increasingly complex to maintain this patched software, resulting in (at times dangerous) bugs. The patches are tools but they also slow down the response time and stand in the way of innovation. This is why everyone urgently has to follow the standards.
These concerns resulted in the first DNS Flag Day in 2019. DNS Flag Day is an annually recurring initiative with the aim of making the DNS protocol (Domain Name System) more secure, reliable and robust. Every year the DNS community handles a specific DNS protocol defect. The positive result of Flag Day 2019 is that across the whole world DNS servers and operators correctly standardised their DNS server implementations.
This year DNS Flag Day is about preventing IP fragmentation. In IP fragmentation an IP packet is broken up into smaller pieces because it is too big to send across networks that can only handle smaller packets. On today's internet IP fragmentation can cause transfer errors. Also, fragmented packets are less secure.
Flag Day 2020 suggests avoiding IP fragmentation by:
- On the one hand limiting the size of the DNS answers. This can be done by setting the EDNS buffer size to a maximum of 1232 bytes, both on the DNS resolver servers, and on the authoritative DNS servers.
- And on the other hand by ensuring the DNS servers also support DNS over TCP which the DNS communication can fall back on if the DNS answer is bigger than the set buffer size.
DNS Belgium aims to create a high-quality and secure internet experience for everyone by fighting cybercrime in every possible way. That is why we have investigated for our registrars how compliant they are. But of course we also do this by fighting cybercrime in every possible way. We therefore warmly support Flag Day 2020.