Slashdot Mirror
Are You Ready For DNS Flag Day? (dnsflagday.net)
Long-time Slashdot reader syn3rg quotes the DNS Flag Day page:
The current DNS is unnecessarily slow and suffers from inability to deploy new features. To remediate these problems, vendors of DNS software and also big public DNS providers are going to remove certain workarounds on February 1st, 2019.
This change affects only sites which operate software which is not following published standards. Are you affected?
The site includes a form where site owners can test their domain -- it supplies a helpful technical report about any issues encountered -- as well as suggestions for operators of DNS servers and DNS resolvers, researchers, and DNS software developers. The Internet Systems Consortium blog also has a list of the event's supporters, which include Google, Facebook, Cisco, and Cloudflare, along with some history. "Extension Mechanisms for DNS were specified in 1999, with a minor update in 2013, establishing the 'rules of the road' for responding to queries with EDNS options or flags. Despite this, some implementations continue to violate the rules.
"DNS software developers have tried to solve the problems with the interoperability of the DNS protocol and especially its EDNS extension by various workarounds for non-standard behaviors... These workarounds excessively complicate DNS software and are now also negatively impacting the DNS as a whole. The most obvious problems caused by these workarounds are slower responses to DNS queries and the difficulty of deploying new DNS protocol features. Some of these new features (e.g. DNS Cookies) would help reduce DDoS attacks based on DNS protocol abuse....
"Our goal is a reliable and properly functioning DNS that cannot be easily attacked."
This change affects only sites which operate software which is not following published standards. Are you affected?
The site includes a form where site owners can test their domain -- it supplies a helpful technical report about any issues encountered -- as well as suggestions for operators of DNS servers and DNS resolvers, researchers, and DNS software developers. The Internet Systems Consortium blog also has a list of the event's supporters, which include Google, Facebook, Cisco, and Cloudflare, along with some history. "Extension Mechanisms for DNS were specified in 1999, with a minor update in 2013, establishing the 'rules of the road' for responding to queries with EDNS options or flags. Despite this, some implementations continue to violate the rules.
"DNS software developers have tried to solve the problems with the interoperability of the DNS protocol and especially its EDNS extension by various workarounds for non-standard behaviors... These workarounds excessively complicate DNS software and are now also negatively impacting the DNS as a whole. The most obvious problems caused by these workarounds are slower responses to DNS queries and the difficulty of deploying new DNS protocol features. Some of these new features (e.g. DNS Cookies) would help reduce DDoS attacks based on DNS protocol abuse....
"Our goal is a reliable and properly functioning DNS that cannot be easily attacked."
Well, based on the linked site... it seems eerily like scaremonging.
They list one possibility is indeed “may not work”, but that’s alongside “slower than it should be”. But they say current DNS is already slower than it should be, so reading between the lines I’m going to guess that just about no one is actually going to see anything change.
#DeleteChrome
I'm doing my part by reducing the load on DNS servers. Block ads and put the worthwhile sites like your bookmarks and frequent sites into your hosts file or cache.
By the way, I went to the site of my local car dealer today to set up an appointment for service. Thirty two sites tried to run scripts. The site worked with only 3 allowed.
Skimming over the links provided, it seems that the main problem is that DNS protocol isn't being used just for DNS. And if you're running a DNS resolver that just understands how to return IPs for host names, you're an impediment to the ultimate goal, to be able to implement emacs over DNS.
Not necessarily. One of the current workarounds is to detect that something failed and disable the extended features. If they stop doing that, then certain requests will simply fail. I can name a few firewall vendors that still don't allow DNS packets large enough to allow EDNS by default.
Actually this is about DNS extensions, or EDNS. Guess what the original DNS extension was? You got it, DNSSEC. Guess what DNSSEC does? Yep, it prevents a man-in-the-middle altering DNS responses, which in turn makes further MITM more difficult.
You're an idiot. May I suggest you learn about the Tragedy of the Commons? There always has to be an authority.. Doesn't have to be government, doesn't have to be private, but it has to be SOMETHING. Else, how the fuck do you decide who owns blah.com? Fuck you and your anarchy.
Every aspect of life is filled with authority.. Why the hell do you think the internet would function without any?
Cut your tether to the ISP? You think you're going to splice into fiber on your own, provision yourself some IP address that doesn't conflict with anyone else, and then what?
$5 says you're a liberal. Only you people can come up with these delusions..