DNS flag day

Internet access discussion, including Fusion, IP Broadband, and Gigabit Fiber!
8 posts Page 1 of 1
by bakul » Mon Jan 28, 2019 10:53 pm
See https://dnsflagday.net/

Since Sonic is my secondary DNS I decided to test my DNS service (using the above webpage) and find it has issues, having to do with Sonic DNS not responding fast enough. An email to support about this was responded to a couple days later saying they can't help.

I then tried the same test with sonic.net and it too has exact same problem. Services such as Azure etc are fixing this. And so are vendors. As per ISC:

A number of DNS software and service providers have announced that we will all cease implementing DNS resolver workarounds to accommodate DNS authoritative systems that don’t follow the Extensions to DNS (EDNS) protocol. Each vendor has pledged to roll out this change in some version of their software by the ‘Flag Day.’
...
Non-compliant domains may become unavailable
Domains served by DNS servers that are not compliant with the standard will not function reliably when queried by resolvers that have been updated to the post-Flag Day version, and may become unavailable via those updated resolvers.

If your company’s DNS zones are served by non-compliant servers, your online presence will slowly degrade or disappear as ISPs and other organizations update their resolvers. When you update your own internal DNS resolvers to versions that don’t implement workarounds, some sites and email servers may become unreachable.


Flag Day being Feb 1. This problem with Sonic DNS needs to be fixed (which will also fix my secondary DNS issue)....
by Mychael » Tue Jan 29, 2019 9:40 am
I'm not associated with sonic at all but I've just been looking/fixing flag day issues so I thought I'd look at sonic.net. It appears the issue is that one of their DNS's (a.auth-ns.sonic.net.) has a IPv6 address that isn't reachable. The DNS check times out when querying that address. The good news is that the DNS at the associated IPv4 address responds correctly and all the other NS's respond correctly. While that may cause occasional slow DNS lookups when a query times out out before trying another NS, there shouldn't be any new issues caused by that come Feb. 1st.

I'm guessing the issues you are seeing with your domain is the same problem. Although without knowing which NS's are used for your secondary servers, that is only a guess.
by bakul » Tue Jan 29, 2019 11:09 am
The only problem I see is with Sonic as a secondary DNS server for my domain -- my priimary and another secondary pass the test. I guess I will have to temporarily remove Sonic as a secondary for the time being.

Thanks for looking into this.
by kgc » Tue Jan 29, 2019 1:31 pm
What specific issue are you seeing?
Kelsey Cummings
System Architect, Sonic.net, Inc.
by bakul » Tue Jan 29, 2019 1:39 pm
Type in "sonic.net" in the "test your domain" box in https://dnsflagday.net. Here, I did this for you. Here is the detailed result: https://ednscomp.isc.org/ednscomp/80bc6b3450

I see the same thing for the sonic.net secondary when I test my own domain.
by kgc » Tue Jan 29, 2019 4:17 pm
The v6 issue with a.auth-ns.sonic.net has been resolved https://ednscomp.isc.org/ednscomp/a11210d1c8

Since all of the servers are compliant with existing EDNS there will should be no impact or other issues associated with the DNS Flag Day. What our servers do not handle correctly, along with many others, is properly responding to an unknown EDNS version. Since no other version of EDNS exists at this time, this is not exactly an issue despite being non compliant with current RFC's. I hope this will be resolved with a pending major version upgrade for PowerDNS (the software that we use for our authoritative servers.)
Kelsey Cummings
System Architect, Sonic.net, Inc.
by bakul » Tue Jan 29, 2019 5:40 pm
Thanks for fixing this!

As for your remaining problem, supposedly PowerDNS Recursor 4.2.0 complies with stricter EDNS requirements? [Just FYI]
by kgc » Wed Jan 30, 2019 11:33 am
bakul wrote:
Thanks for fixing this!

As for your remaining problem, supposedly PowerDNS Recursor 4.2.0 complies with stricter EDNS requirements? [Just FYI]


Yep, that's my expectation. Sorry about the v6 issue.
Kelsey Cummings
System Architect, Sonic.net, Inc.
8 posts Page 1 of 1

Who is online

In total there are 7 users online :: 0 registered, 0 hidden and 7 guests (based on users active over the past 5 minutes)
Most users ever online was 422 on Sat May 26, 2012 5:28 am

Users browsing this forum: No registered users and 7 guests