Donate
DNS Flag Day Thumbnail
‹ Back
Domain Name System (DNS) 8 February 2019

DNS Flag Day

Kevin Meynell
By Kevin MeynellManager, Technical and Operational Engagements

The 1st of February was DNS Flag Day, which is an initiative of several DNS vendors and operators to address the problems of DNS name server implementations that are not in compliance with long-established DNS standards. This is causing the DNS to not only be unnecessarily slow and inefficient, but prevent operators from deploying new functionality including mechanisms to protect against DDoS attacks.

DNSSEC and other extended features of the DNS require EDNS0 (Extension Mechanisms for DNS – RFC 6891), and properly implemented name servers should either reply with an EDNS0 compliant response, or provide a regular DNS response if they don’t understand.

However, a lot of name server software is not implemented properly which has meant resolvers have had to incorporate workarounds when name servers don’t respond correctly. These cause unnecessary retries, delays, and prevent the newer features of the DNS being used.

As a result, the vendors of the most commonly used DNS software (BIND, Ubound, PowerDNS and Knot) will no longer be supporting these workarounds in new versions of their software, whilst a number of public DNS resolver operators (CleanBrowsing, Cloudflare, Google and Quad9) will no longer resolve hostnames served by broken name server implementations.

This may mean sites become unreachable, which makes it imperative that DNS administrators and domain name holders check whether their authoritative name servers are compliant with the DNS standard from 1987 (RFC1035) or the newer EDNS standard from 1999 (RFC2671 and RFC6891).

The DNS Flag Day website has some helpful information on what DNS administrators and domain name holders need to do, and there’s also a tool to check whether your domain is affected. So if you haven’t already done so, please check your domain for compliance as soon as possible!

Further Information

‹ Back

Related articles

DNS Security & Privacy discussed at e-AGE18
DNS Security & Privacy discussed at e-AGE18
Deploy36024 December 2018

DNS Security & Privacy discussed at e-AGE18

The Internet Society continued its engagement with Middle East networking community by participating in the e-AGE18 Conference, where we took...

ICANN Postpones DNSSEC Root KSK Rollover - October 11 will NOT be the big day
ICANN Postpones DNSSEC Root KSK Rollover - October 11 will NOT be the big day
Domain Name System Security Extensions (DNSSEC)28 September 2017

ICANN Postpones DNSSEC Root KSK Rollover – October 11 will NOT be the big day

People involved with DNS security no longer have to be focused on October 11. News broke yesterday that ICANN has...

How To Survive A DNS DDoS Attack - Consider using multiple DNS providers
How To Survive A DNS DDoS Attack - Consider using multiple DNS providers
Domain Name System (DNS)25 October 2016

How To Survive A DNS DDoS Attack – Consider using multiple DNS providers

How can your company continue to make its website and Internet services available during a massive distributed denial-of-service (DDoS) attack...

Join the conversation with Internet Society members around the world