DNS Flag Day, Friday, Feb 1st, 2019

Mark Andrews marka at isc.org
Thu Jan 24 06:09:38 UTC 2019



> On 24 Jan 2019, at 4:45 pm, Christopher Morrow <morrowc.lists at gmail.com> wrote:
> 
> 
> 
> On Thu, Jan 24, 2019 at 12:35 AM Mark Andrews <marka at isc.org> wrote:
> And if you don’t want to go to the web site you can still see the content here
> 
> https://github.com/dns-violations/dnsflagday
> 
> 
> I think part of my snark was lost as snark here... 
> So, we're asking 'everyone' to do 'something' on behalf of their domains, their users and the rest of the internet... we can't seem to do that in a fashion that's traceable, clearly has ownership and doesn't look like every halfbaked spam campaign in the world.
> 
> Yes I could go digging for the right starting point at ISC or github or .. what??
> Why wasn't this pretty clearly owned by 'ICANN' or some organization like that?

Well the IETF doesn’t want to be “Protocol Police”.  ICANN has enforced this
on gTLD operators as they are contractually obligated to run protocol compliant
servers.  Almost all of the ccTLD servers are fixed as well.

https://ednscomp.isc.org/compliance/ts/tld-graphs.html
https://ednscomp.isc.org/compliance/tld-report.html

I’ve argued for years that TLD operators should be doing tests like this on
all delegated domains and delisting them until they have fixed the server after
a initial grace period with multiple warnings.  They are in a position to send
warning to operators and owners of delegated zones.  They just say “this is not
our job” despite RFC 1033 actually listing removal of delegation as something
that should be done by the parent zone (TLD) if other methods of fixing servers
that don’t follow the specification fail.

No one wanted own this.  This is Open Source DNS vendors saying "Enough is Enough”.
We are tired of having to write workarounds for all the broken servers out there
especially as those workarounds impacts on sites that have protocol compliant servers.

None of use could move alone as we would get “But it works with …”.  This needed to
be a collective move.  The public DNS resolver operators are also on board.

No system works if there are not checks and balances in place.  The DNS still doesn’t
have checks and balances in place.

Mark

> It's lovely that github, fastly, gandi and ISC want to help, but... somewhere here some legitimacy could have been injected into the process, right?
> 
> "HI, we're ICANN we do dns thingies, and we'd like to help make you make things better. Please use the website (provided by our partner(s) X, Y, Z to do the following A, B, C things, and get guidance on repair for problems at site FOO, BAR or BAZ. If there are questions please see our FAQ (https://www.icann.org/dnsfixin/faq) or email <support at icann.org>. Thanks for taking the time to make the world better?"
> 
> it's not super hard to do this, it's also apparently super easy to look like a spam/malware campaign.
>  
> > On 24 Jan 2019, at 4:32 pm, Mark Andrews <marka at isc.org> wrote:
> > 
> > Also as a lot of you use F5 servers here is information about DNS flag day
> > fixes.
> > 
> > https://support.f5.com/csp/article/K07808381?sf206085287=1
> > 
> >> On 24 Jan 2019, at 3:51 pm, Christopher Morrow <morrowc.lists at gmail.com> wrote:
> >> 
> >> 
> >> 
> >> On Wed, Jan 23, 2019 at 11:45 PM Mark Andrews <marka at isc.org> wrote:
> >> Well you can go to https://ednscomp.isc.org and click on "Test Your Servers Here”
> >> which is what https://dnsflagday.net calls behind the scenes.  You will just need
> >> to interpret the results as they apply to DNS flag day.  If you don’t want to go
> >> there you can go to https://gitlab.isc.org and down load and compile the DNS
> >> compliance tester and then run “genreport -i bind11 -e”. which is the actual test
> >> code being run.
> >> 
> >> 
> >> oh excellent, I'll do this version. thanks.
> >> 
> >> But hey you did do proper acceptance testing when you installed your DNS servers
> >> and firewalls to ensure that they implemented the DNS protocol correctly and they
> >> your firewalls don’t block well formed DNS queries (lots of them do by default).
> >> 
> >> 
> >> I did, yes.
> >> 
> >> Mark
> >> 
> >>> On 24 Jan 2019, at 3:35 pm, Christopher Morrow <morrowc.lists at gmail.com> wrote:
> >>> 
> >>> 
> >>> 
> >>> On Wed, Jan 23, 2019 at 7:11 PM Brian Kantor <Brian at ampr.org> wrote:
> >>> Quoting from the web site at https://dnsflagday.net/
> >>> 
> >>> 
> >>> huh, from the 'dns illuminati' eh"
> >>> 
> >>> DNS hosted by gandi.net? resolves to 3 /32's on 3 adjacent /24's.. in github's ip space, routed by fastly.com ...
> >>> I'm sure glad the  whois data for that domain is sensible too... :(
> >>> 
> >>> none of that particularly leaves me feeling like I should go put any data at all into the site.
> >>> 
> >>> -chris
> >> 
> >> -- 
> >> Mark Andrews, ISC
> >> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> >> PHONE: +61 2 9871 4742              INTERNET: marka at isc.org
> >> 
> > 
> > -- 
> > Mark Andrews, ISC
> > 1 Seymour St., Dundas Valley, NSW 2117, Australia
> > PHONE: +61 2 9871 4742              INTERNET: marka at isc.org
> > 
> 
> -- 
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742              INTERNET: marka at isc.org
> 

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org




More information about the NANOG mailing list