DNS Flag Day: Guidance for BlueCat Users
BlueCat is fully prepared for DNS Flag Day. BlueCat DNS Servers (both DNS Integrity and DNS Edge) will continue to function as normal.
Key takeawaysThis key takeaway was generated through LLMs crawling the page and coming up with an overview of the content.The article explains BlueCat Networks' update regarding DNS Flag Day 2020, a coordinated effort to end EDNS workarounds and require EDNS buffer sizes of 1232 bytes starting October 1, 2020. It outlines that BlueCat's DNS products require no changes or patches and that Customer Care is available for questions, while recommending customers validate their architectures because other DNS servers, firewalls, load balancers, or network conditions may still disrupt DNS query flows. The piece also describes available testing tools (DNS Flag Day tester and ISC tools) and advises validating results carefully—checking network appliances such as F5 and Check Point for configuration issues—to ensure continuity after the changeover.
What does BlueCat say about product changes or patches needed for DNS Flag Day 2020?
BlueCat states that no changes to its products are required to satisfy the DNS Flag Day EDNS buffer size requirement of 1232 bytes and that no patches are needed. Both BlueCat DNS server products (DNS Integrity and DNS Edge) will continue to function normally, and BlueCat provides full compliance from an authoritative DNS perspective. BlueCat also notes that it is keeping recursive-side EDNS workarounds in place for at least one year to continue resolving answers even if third-party DNS systems are not compliant.
What validation and testing does BlueCat recommend before DNS Flag Day?
BlueCat recommends that customers validate their architectures prior to the February 1 changeover to ensure normal operations, using the DNS Flag Day website testing tool to see whether domains are affected. Because the DNS Flag Day tester does not provide diagnostic details, BlueCat points customers to ISC’s more informative tools and guidance, including a downloadable validator and dig-based manual testing. They also advise validating results by sending UDP packets larger than 512 bytes through network routes that include BlueCat DNS servers to help distinguish true EDNS issues from network delays or rate limiting.
What operational issues unrelated to BlueCat products could cause EDNS compliance test failures?
BlueCat highlights that validation tests can surface issues not directly related to DNS servers, such as network delays, rate limiting policies, or intermediate appliances disrupting DNS responses. They specifically recommend checking configurations on network appliances like F5 and Check Point devices, since those vendors have published guidance on addressing potential problems. Because BlueCat cannot guarantee other DNS servers, firewalls, load balancers, or internet paths won’t disrupt DNS query flows, customers should inspect network routes and appliance settings when troubleshooting test failures.
DNS Flag Day 2020 update
DNS Flag Day is taking place on October 1, 2020. The guidance on the DNS Flag Day website states that EDNS buffer size requirements should be 1232 bytes. BlueCat has determined that there are no changes required to its products to satisfy this requirement, and that no patches are needed.
In the meantime, BlueCat Customer Care is available to address any concerns surrounding DNS Flag Day. Feel free to contact us with any questions you might have.
As the features, functionality, and services of DNS continue to grow, the protocol is becoming more complex. While we all reap the benefits of these changes, there is a cost as well. Latency, instability, and development challenges are gradually creeping into the DNS protocol. The DNS community has begun to take notice, and take action. One notable way this is occurring is through the DNS Flag Day initiative.
EDNS and its detractors
Extension mechanisms for DNS (EDNS) were created to mitigate some of these challenges with the DNS protocol. In a nutshell, EDNS adds new capacity to DNS which allows it to support additional functionality.
Up to this point, support for EDNS has not been uniform across service providers and products. Workarounds kept services up and running, but introduced problems of their own. Over time, the technical costs became untenable.
This is why a number of companies which provide DNS software and DNS services are ending support for EDNS workarounds. The companies designated February 1, 2019 as DNS Flag Day. The website for this campaign includes a test that lets you see whether your domain is affected by these changes.
What BlueCat customers need to know
BlueCat is fully prepared for DNS Flag Day. BlueCat DNS servers (both DNS Integrity and DNS Edge) will continue to function as normal.
On the back-end, BlueCat provides full compliance from an authoritative dns perspective. BlueCat is not yet removing the workarounds from the recursive perspective. Even if third party DNS systems that your enterprise relies on are not compliant, BlueCat will continue to resolve the answer. We plan to leave the workarounds in place for at least one year.
Note: BlueCat cannot guarantee that other DNS servers, firewalls and load balancers within your intranet, or the internet, won’t disrupt normal DNS query flows. We strongly suggest that you validate your architectures before February 1 to assure normal operations after the changeover occurs.
The DNS Flag Day website includes a testing tool that lets you see whether a domain is affected by these changes. DNS Flag Day’s EDNS compliance tester does not provide any details to help identify the source of an issue or its potential impact. However, the site links to a more informative ISC site that includes more details. The specific tool used to run the validation can be downloaded and executed locally and ISC also provides guidance on running the validation manually with dig.
During numerous validation tests with customers, we found that testing can identify issues that are not directly related to the DNS server. For instance, network delays or rate limiting policies can incorrectly be flagged as EDNS compliance issues. We advise customers to validate the results using UDP packets larger than 512 bytes for network routes that include BlueCat DNS servers.
This ISC blog has additional recommendations which can help administrators identify the source of potential issues. In particular, we recommend checking the configurations of network appliances such as F5 and Checkpoint products. Both have published articles with guidance (F5 here, Checkpoint here) on how to address potential concerns.
BlueCat provides core services and solutions that help our customers and their teams deliver change-ready networks. With BlueCat, organizations can build reliable, secure, and agile mission-critical networks that can support transformation initiatives such as cloud adoption and automation. BlueCat’s growing portfolio includes services and solutions for automated and unified DDI management, network security, multicloud management, and network observability and health.
Related content
How to map your network with user-defined links in Integrity X
Map your network with user-defined links in Integrity X to define and manage custom relationships, such as dual-stack and NAT environments.
Automate your DDI modernization path by migrating with Micetro
Automate cross-platform DNS and DHCP migration with Micetro to reduce risk, eliminate manual effort, and modernize infrastructure faster.
Your journey to intelligent NetOps begins at Cisco Live
Visit BlueCat’s booth or book a meeting now to learn more about how our solutions can help you build a network that supports constant change.
Replace BIND and ISC with Micetro DNS/DHCP Server (MDDS)
Tired of patching and manually configuring BIND DNS and ISC DHCP? Discover how Micetro MDDS appliances can replace them for modern DDI.