Oracle Dyn has been closely following the effort of DNS software vendors and the DNS community for the DNS Flag Day on February 1, 2019. We would like to share a brief overview of what DNS Flag Day is and how Oracle has prepared for it.
DNS Flag Day is an initiative by the DNS Community to deprecate and remove support for an older DNS workaround that DNS vendors have been using for years. The goal is to make DNS software a little less complex, easier to maintain, have more predictable behavior, and improve performance.
In this case, the changes are related to how DNS query timeouts occur. In the past, DNS resolvers, when encountering a timeout from an authoritative, would retry the DNS query without EDNS being enabled. Starting on February 1, 2019, EDNS will not be disabled by major public DNS resolvers and vendors when DNS query timeout occurs. This means if your Authoritative DNS servers do not respond properly to DNS queries that utilize EDNS, the DNS query will effectively timeout.
The Challenge of DNS Implementations
The DNS is an old protocol by Internet standards, with the first RFCs written in the early 1980s, with many revisions over time to accommodate an always changing Internet. As the DNS protocol has evolved, maintaining backwards compatibility with older DNS software has been a major priority.
Given there are far too many implementations of DNS (think every client, every resolver, every home/business router, every authoritative server, and sometimes even software on the client like web browsers), it has been considered unrealistic to expect a reasonably fast upgrade cycle to address problems if a hardware device like a router or software that has its own DNS implementation is released with an issue. In fact, it is sadly the case that there are many devices on the Internet that last received software/firmware upgrades years ago, if not decades ago. Over the years, DNS vendors have coded workarounds for some of these broken implementations.
However, the DNS protocol is now extremely complex and the underlying software that powers the DNS (from resolvers to authoritative servers) is increasingly complex as well. Every time a new implementation of the DNS is written by someone, knowledge of these workarounds for old/buggy software has to be taken into account or else rollout of this software causes problems for those relying on it. With all of these workarounds, DNS implementations face a performance and complexity impact, increasing the risk of further bugs and even security vulnerabilities being created.
Impact of DNS Flag Day
Specifically, the changes impact DNS resolvers and Authoritative servers that do not properly follow the original DNS standards from 1987 (RFC 1035) or the newer EDNS standards from 1999 (RFC 2671 and RFC 6891). EDNS support isn’t required, but properly handling queries (in accordance to the previously mentioned RFCs) that are with or without EDNS is required. This is good news for older DNS implementations that never added EDNS support, as if they properly comply with RFC 1035 they should have no issues continuing to use the DNS.
Oracle Dyn’s preparations for DNS Flag Day
At this point of time, Oracle Dyn is compliant with at least the minimum working setup for DNS Flag Day and in many cases we are fully EDNS complaint. In all cases, we expect no issues with DNS Flag Day at this time.
For Primary Zones with advanced DNS features like Traffic Director, we are compatible with the minimum working setup for DNS Flag Day and expect no issues. One edge case in this scenario has been brought to our attention where a query for a DNSKEY record causes one of the DNS Flag Day tests to fail. Given that Primary Zones on our platform with advanced DNS features like Traffic Director cannot be DNSSEC signed, we do not expect this behavior to cause any real world issues with responding to DNS queries as we do not expect to receive legitimate queries for DNSKEY records on those zones.
Our Customer Support team will be glad to assist if you have further questions or concerns regarding DNS Flag Day. You can contact them at firstname.lastname@example.org.