[lacnog] DNS Providers to Cease Implementing DNS Resolver Workarounds
Alexander Miranda
alex en telefonicadelmar.cl
Vie Feb 1 13:28:52 -02 2019
🤪
El vie., 1 feb. 2019 10:52, Lucimara Desiderá <lucimara en cert.br> escribió:
>
> https://www.securityweek.com/dns-providers-cease-implementing-dns-resolver-workarounds
>
> DNS Providers to Cease Implementing DNS Resolver Workarounds
> By Ionut Arghire on January 30, 2019
> Tweet
>
> Starting on February 1, 2019, a number of DNS software and service
> providers will cease implementing DNS resolver workarounds for systems
> that don’t follow the Extensions to DNS (EDNS) protocol.
>
> Intended for DNS Flag Day, the switch should solve two major problems
> DNS has at the moment due to these workarounds: slower responses to DNS
> queries and the difficulty of deploying new DNS protocol features such
> as improved distributed denial of service protections.
>
> Although the Extension Mechanisms for DNS were specified in 1999 to
> establish rules for responding to queries with EDNS options or flags,
> some implementations continue to violate the rules. To address
> interoperability issues, DNS software developers implemented workarounds
> for non-standard behaviors.
>
> “These workarounds excessively complicate DNS software and are now also
> negatively impacting the DNS as a whole,” the Internet Systems
> Consortium (ISC) points out.
>
> To address the problem, some organizations have agreed to update their
> software or systems to cease implementing said workarounds in software
> set to be released around DNS Flag Day. These include ISC (in BIND 9.14
> stable), CZ NIC (in Knot Resolver 3.3.0 – it has stricter EDNS handling
> in all current versions), NLNET Labs (in Unbound 1.8.4, 1.9.0 and
> newer), and PowerDNS (PowerDNS recursor 4.2).
>
> Organizations supporting the initiative include Cisco, CleanBrowsing,
> Cloudflare, Facebook, Google, Quad9, and the aforementioned software
> vendors of DNS software and public DNS providers.
>
> “To ensure further sustainability of the system it is time to end these
> accommodations and remediate the non-compliant systems. This change will
> make most DNS operations slightly more efficient, and also allow
> operators to deploy new functionality, including new mechanisms to
> protect against DDoS attacks,” the initiative’s GitHub page reveals.
>
> This change is expected to have impact on sites operating non-compliant
> software only. Internet users with their own domain names will be
> affected only indirectly and won’t need to take specific action.
>
> “Domains served by DNS servers that are not compliant with the standard
> will not function reliably when queried by resolvers that have been
> updated to the post-Flag Day version, and may become unavailable via
> those updated resolvers,” ISC points out.
>
> Organizations with DNS zones served by non-compliant servers will see
> their online presence slowly degrade or disappear when ISPs and other
> organizations update their resolvers. Organizations switching internal
> DNS resolvers to versions that don’t implement workarounds might
> experience issues with sites and email servers becoming unreachable.
>
> Operators of DNS authoritative systems are advised to check their own
> domain at https://dnsflagday.net/ to ensure they are EDNS-compliant.
> Common issues emerge from firewalls blocking EDNS traffic and old DNS
> servers requiring upgrades.
>
> _______________________________________________
> LACNOG mailing list
> LACNOG en lacnic.net
> https://mail.lacnic.net/mailman/listinfo/lacnog
> Cancelar suscripcion: https://mail.lacnic.net/mailman/options/lacnog
>
------------ próxima parte ------------
Se ha borrado un adjunto en formato HTML...
URL: <https://mail.lacnic.net/pipermail/lacnog/attachments/20190201/bb1dac53/attachment-0001.html>
Más información sobre la lista de distribución LACNOG