What You Need to Know About DNS Flag Day

You may have seen some news about DNS flag day, which is February 1, 2019. So what is DNS flag day?

DNS flag day is a change in DNS behavior that the major providers of DNS recursive servers will put into effect on that day.

Unless you or your DNS provider is running a very old DNS server of a particular type (authoritative), you probably have nothing to worry about.

Before we get started, let’s cover the two types of DNS servers that exist on the internet:

Authoritative DNS servers:

Authoritative servers are the DNS servers that are the source of information about one or more domains. These are the servers that you need to update when you want to add or change information about your domain.

Recursive DNS servers:

Recursive servers are the servers that your laptop or other network devices will connect to in order to find out information about a domain. The recursive server is not the source of that information, but it knows how to go get it. (Once it finds the right information, it will remember it for a period time, but that is another topic, covered in our recent blog post on how long DNS updates take.)

Why We Need DNS Flag Day

DNS flag day is about getting operators of old, out-of-date authoritative servers to update their systems. As DNS has evolved, new capabilities have been added to the protocol. One of these is a standard called Extensions for DNS (EDNS) which allows for the addition of new functionality. This is a standard that was first introduced almost 20 years ago.

If an authoritative server does not support this standard, it will not respond to queries requesting which extensions are supported. Today, recursive servers will wait for a timeout and then use a workaround to adjust for this non-responsiveness. This leads to slowdowns and inefficiencies for DNS resolution.

On DNS flag day, the operators of participating recursive servers will stop applying these workarounds and start treating any server that does not support EDNS as ‘dead’. The end result is that any DNS domains hosted by these out-of-date authoritative servers will no longer be resolvable. In other words, the DNS information these old servers contain will no longer be available to the Internet at large.

What You Need to Do

Unless you are operating an authoritative DNS server, you don’t need to do anything.

If you are operating an authoritative DNS server (or if you believe that your DNS provider might be), check if you will be affected. You can use the link below to find this out, by testing your domain in the “test” box. If you are affected, you will need to upgrade your authoritative server to one that supports EDNS.

https://dnsflagday.net/

DNS experts believe that the number of servers out there that need to be updated is very small. Remember, this is about catching up to a standard that’s already 20 years old. The vast majority of DNS servers out there, including Valimail’s, are fine just as they are.

Steve Whittle runs customer success at Valimail. He has helped Valimail customers get thousands of domains to DMARC enforcement. He also has worked with hundreds of third-party senders. Prior to joining Valimail, he spent more than 15 years designing and deploying DNS for Enterprises and Service Providers worldwide.