DNS Flag Day: Are you ready?

DNS Flag Day - Blog Nameshield

Lately, the DNS keeps being talked about! After the first KSK rollover of October 2018, then the deactivation of the former KSK key on last January 11, here comes the time of the DNS Flag Day!

DNS Flag Day: What is it all about?

The Flag day is an expression used in IT to indicate the deadline and/or radical change.

Let us remember that when it was created, the weight of cybercrime threats affecting the DNS infrastructure didn’t exist. If the security was relegated to the background, the evolution of attacks have made it absolutely necessary: The DNS must be strengthened!

It’s in this context that the EDNS standard has been created in 1999 (updated in 2013 in the RFC6891). EDNS has particularly allowed the implementation of DNSSEC, the DNS’ geolocation and other measures aiming to strengthen the security.

This transition was not without difficulties. Abusive EDNS standard adoptions, lack of updates, bypasses have led to the creation of many patches and accommodations of the recursive servers’ code (particularly, in order to be able to differentiate DNS servers which cannot properly support EDNS from the ones unreachable for other reasons).

Two decades later, the maintenance of all these patched software has become more than difficult and leads to bugs that can compromise the DNS security. Obviously, the weight of these patches affects the speed of the response times.

It’s time for this standard to be implemented by all, or they will no longer be able to efficiently deal with new DNS attacks, like amplification or layer 7 attacks.

That’s why, major IT actors (Google, Cloudfare, Facebook, Cisco..), of which the developers of recursive servers decided as one to no longer support DNS servers that do not respect the EDNS standard as of February 1, 2019. The Flag Day arrives!

And concretely?

From the DNS Flag Day, on February 1, all the DNS servers not in compliance with the EDNS standard (or not functioning because of a firewall incompatible with EDNS), thus not responding to EDNS requests will be considered as unreachable; accommodations and other patches being removed from the new versions of the DNS software.

To simplify, not placed on compatible DNS, your domain name may no longer respond.

How to anticipate?

That is why it is important to ensure that DNS servers hosting your names‘ zones are compatible EDNS, in particular if they are not placed on Nameshield’s DNS infrastructure or if your company maintains its own infrastructure.

The DNS Flag Day website also allows to test the compliance of your name: https://dnsflagday.net/

Of course, our team is at your disposal for any question.