Slashdot Mirror

← Back to Stories (view on slashdot.org)

Are You Ready For DNS Flag Day? (dnsflagday.net)

Posted by EditorDavid on from the day-before-Groundhog-Day dept.

Long-time Slashdot reader syn3rg quotes the DNS Flag Day page: The current DNS is unnecessarily slow and suffers from inability to deploy new features. To remediate these problems, vendors of DNS software and also big public DNS providers are going to remove certain workarounds on February 1st, 2019.

This change affects only sites which operate software which is not following published standards. Are you affected?
The site includes a form where site owners can test their domain -- it supplies a helpful technical report about any issues encountered -- as well as suggestions for operators of DNS servers and DNS resolvers, researchers, and DNS software developers. The Internet Systems Consortium blog also has a list of the event's supporters, which include Google, Facebook, Cisco, and Cloudflare, along with some history. "Extension Mechanisms for DNS were specified in 1999, with a minor update in 2013, establishing the 'rules of the road' for responding to queries with EDNS options or flags. Despite this, some implementations continue to violate the rules.

"DNS software developers have tried to solve the problems with the interoperability of the DNS protocol and especially its EDNS extension by various workarounds for non-standard behaviors... These workarounds excessively complicate DNS software and are now also negatively impacting the DNS as a whole. The most obvious problems caused by these workarounds are slower responses to DNS queries and the difficulty of deploying new DNS protocol features. Some of these new features (e.g. DNS Cookies) would help reduce DDoS attacks based on DNS protocol abuse....

"Our goal is a reliable and properly functioning DNS that cannot be easily attacked."

20 of 145 comments (clear)

  1. Long Overdue by Anonymous Coward · · Score: 1

    Carry on...

    1. Re: Long Overdue by Cutterman · · Score: 1

      My HOSTS files are pretty large.
      Helps me avoid all sorts of trash and malware.

      Mac

    2. Re: Long Overdue by godel_56 · · Score: 1

      My HOSTS files are pretty large. Helps me avoid all sorts of trash and malware.

      Mac

      So why are you still on Slashdot?

    3. Re: Long Overdue by Cutterman · · Score: 1

      Good question

  2. Ok, I'll sorta survive by bobstreo · · Score: 1

    Unfortunately, I don't host the DNS for most of my stuff.

    Hopefully the dynamic DNS hosting service I use will update their software at some point.

    1. Re:Ok, I'll sorta survive by 93+Escort+Wagon · · Score: 2

      Well, based on the linked site... it seems eerily like scaremonging.

      They list one possibility is indeed “may not work”, but that’s alongside “slower than it should be”. But they say current DNS is already slower than it should be, so reading between the lines I’m going to guess that just about no one is actually going to see anything change.

      --
      #DeleteChrome
    2. Re:Ok, I'll sorta survive by gmack · · Score: 3, Informative

      Not necessarily. One of the current workarounds is to detect that something failed and disable the extended features. If they stop doing that, then certain requests will simply fail. I can name a few firewall vendors that still don't allow DNS packets large enough to allow EDNS by default.

    3. Re: Ok, I'll sorta survive by gmack · · Score: 1

      So this is less a worry about what my webhosting provider is going to do, and more what my corporate firewalls are going to fail on.

      Correct. Webhosting providers have users who spazz on them when anything is slow. Corporate IT just don't have the same motivation. Mind you, I don't doubt for a moment that some corporate websites will also be affected. The number of big name corps with bad firewall configs on their public hosted side is frightening.

  3. Let's do our part by Anonymous Coward · · Score: 2, Interesting

    I'm doing my part by reducing the load on DNS servers. Block ads and put the worthwhile sites like your bookmarks and frequent sites into your hosts file or cache.

    By the way, I went to the site of my local car dealer today to set up an appointment for service. Thirty two sites tried to run scripts. The site worked with only 3 allowed.

  4. Whatever happened to DNS over DNS? by WoodstockJeff · · Score: 5, Funny

    Skimming over the links provided, it seems that the main problem is that DNS protocol isn't being used just for DNS. And if you're running a DNS resolver that just understands how to return IPs for host names, you're an impediment to the ultimate goal, to be able to implement emacs over DNS.

  5. roperly functioning DNS? by Anonymous Coward · · Score: 1

    Sorry, can't have that unless everybody does their own caching and we get rid of for profit registrars.But really we need something completely different. Something that no authority of any kind can control. We need to cut our tether to the ISP, so no government can control access.

    1. Re:roperly functioning DNS? by jaredmauch · · Score: 1

      This isn't related to that at all, it's not about the registrar and registry system. (You can thank ICANN for that). This is about software that has to workaround several types of bugs or legacy behavior. Imagine if your web browser still had to parse those gopher:// links

    2. Re:roperly functioning DNS? by jpaine619 · · Score: 4, Insightful

      You're an idiot. May I suggest you learn about the Tragedy of the Commons? There always has to be an authority.. Doesn't have to be government, doesn't have to be private, but it has to be SOMETHING. Else, how the fuck do you decide who owns blah.com? Fuck you and your anarchy.

      Every aspect of life is filled with authority.. Why the hell do you think the internet would function without any?

      Cut your tether to the ISP? You think you're going to splice into fiber on your own, provision yourself some IP address that doesn't conflict with anyone else, and then what?

      $5 says you're a liberal. Only you people can come up with these delusions..

    3. Re:roperly functioning DNS? by jpaine619 · · Score: 1

      Hahaha. You're an idiot.. All of nature is filled with authority.. I was quite clear that it didn't have to be governmental.. But there has to be someone who decides.. How do I know this? Well, I gave you a clue.. Tragedy of the Commons..

      Your insane system (anarchy) has been tried before.. Over and over and over.. It has failed 100% of the time.

      Pure democracy fails... 100% of the time...

      You're as delusional as the socialists. There is no successful socialist state on Earth. Don't you dare cite the Nordic countries either.. They're high-tax capitalism.. Quite different than socialism.

  6. Re:Just asking for a DDOS by jaredmauch · · Score: 1

    This isn't related to that, there's features like EDNS cookies just like you have TCP cookies to help prevent DDoS and other things. It's fine if you don't upgrade, but what will happen is you may not work as the DNS industry is doing the same thing as IPv6 day and IPv6 launch and standing together saying "we are removing all the workarounds for non-standards compliant and buggy servers".

  7. Actually DNSSEC is part of this by raymorris · · Score: 2

    Actually this is about DNS extensions, or EDNS. Guess what the original DNS extension was? You got it, DNSSEC. Guess what DNSSEC does? Yep, it prevents a man-in-the-middle altering DNS responses, which in turn makes further MITM more difficult.

  8. Assertions and no information. by shess · · Score: 1

    AFAICT, this posting and the linked articles are just a collection of assertions about how bad things are and how important this work is, with no actual information about how bad things are and how important this work is. In my experience when someone runs around saying things like this, it actually means that it's NOT that bad, and it's NOT that important, and they're just trying to scare people into moving in whatever direction they haven't been able to convince them to move in using actual data.

  9. Fake news... by jtara · · Score: 1

    ... is what could result, because cnn.com is not compliant.

    Testing completed:
    cnn.com: Minor problems detected!

    This domain is going to work after the 2019 DNS flag day BUT it does not support the latest DNS standards. As a consequence this domain cannot support the latest security features and might be an easier target for network attackers than necessary, and might face other issues later on. We recommend your domain administrator to fix issues listed in the following
    technical report https://ednscomp.isc.org/ednsc...

    https://ednscomp.isc.org/ednsc...

  10. workarounds? by humankind · · Score: 1

    I'm curious what features are being added/removed?

    One thing I'd like to see in a formal DNS configuration, is the ability to map an A record to a CNAME alias.

    I know that some of the top level hosting companies like Cloudflare, have their own hacked DNS that adds that functionality so they can perform load balancing. In turn, they often demand complete control of the nameservers for domains they host, which I don't think is a good idea. Hopefully these changes will address this situation?

    1. Re:workarounds? by jaredmauch · · Score: 1

      What you're asking for is what's known as an APEX CNAME. Some DNS providers provide this sort of faux support (I think Cloudflare and Route53 do this) via some wizardry. There is an active discussion in the DNSOP WG at the IETF about this. Come join the madness!