DNS Flag Day, Friday, Feb 1st, 2019

• Previous message (by thread): DNS Flag Day, Friday, Feb 1st, 2019
• Next message (by thread): DNS Flag Day, Friday, Feb 1st, 2019
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Jan 31, 2019 at 6:01 AM Matthew Petach <mpetach at netflight.com> wrote:

> Google, Cloudflare, Quad9 all changing their codebase/response behaviour on a Friday before a major sporting and advertising event?
> Not sounding like a really great idea from this side of the table.

If your DNS zone is hosted on Google or Cloudflare's servers, then you
should have nothing to worry about,  other than your end users having
a broken firewall in between their DNS resolver and the internet, and then
updating their resolver software....

Actually, none of those providers announced detailed plans, at least yet;
and maybe they won't even bother announcing.
they could update their software yesterday if they wanted,  or they could
wait until next week,  and it would still be  "On or Around Feb 1, 2019."
The 'Flag Day' is not a specific moment at which all providers
necessarily push a big red button at the same instant to remove
their workaround for broken DNS servers discarding queries.

> Are we certain that the changes on the part of the big four recursive DNS operators won't cause downstream issues?

Not downstream issues.   They will break resolution of  the
domains which have authoritative DNS servers that
discard or ignore DNS queries which comply with all the
original DNS standards but contain EDNS attributes.

The common cause for this was Authoritative DNS servers placed
behind 3rd party Firewalls that tried to "inspect" DNS traffic and
discard queries and responses with "unknown" properties or sizes
larger than 512  ---  there may also be an esoteric DNS proxy/
balancer implementation with bugs, or some broken authoritative
server implementations running software that was more than 10 years
past End of Support at this point.

If your authoritative DNS service sits behind such a broken device or
on such broken DNS server,
then clients already have troubles resolving your domains,  and some time
after the DNS Flag day,  it will likely stop working altogether.

> As someone noted earlier, this mainly affects products from a specific company, Microsoft, and L7 load balancers like A10s.  I'm going to hope legal teams from each of the major recursive providers were consulted ahead of time to vet the effort, and ensure there were no concerns about collusion or anticompetitive practices, right?

I wouldn't be too concerned.    The operators of a recursive DNS service
very likely won't have an agreement giving them a duty to  Microsoft,
A10, etc;
If  you have a software or service that you expect to interoperate with DNS
resolvers,  then its on you to make sure your  implementation of the software
or service complies with the agreed standards regarding its processing
of compliant messages.

-- 
-JH

• Previous message (by thread): DNS Flag Day, Friday, Feb 1st, 2019
• Next message (by thread): DNS Flag Day, Friday, Feb 1st, 2019
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]