DNS Flag Day: Guidance for BlueCat Users

DNS Flag Day 2020 update 

In the meantime, BlueCat Customer Care is available to address any concerns surrounding DNS Flag Day.  Feel free to contact us with any questions you might have.

As the features, functionality, and services of DNS continue to grow, the protocol is becoming more complex.  While we all reap the benefits of these changes, there is a cost as well.  Latency, instability, and development challenges are gradually creeping into the DNS protocol. The DNS community has begun to take notice, and take action. One notable way this is occurring is through the DNS Flag Day initiative.

EDNS and its detractors

Extension mechanisms for DNS (EDNS) were created to mitigate some of these challenges with the DNS protocol.  In a nutshell, EDNS adds new capacity to DNS which allows it to support additional functionality.

Up to this point, support for EDNS has not been uniform across service providers and products.  Workarounds kept services up and running, but introduced problems of their own.  Over time, the technical costs became untenable.

This is why a number of companies which provide DNS software and DNS services are ending support for EDNS workarounds.  The companies designated February 1, 2019 as DNS Flag Day. The website for this campaign includes a test that lets you see whether your domain is affected by these changes.

What BlueCat customers need to know

BlueCat is fully prepared for DNS Flag Day.  BlueCat DNS servers (both DNS Integrity and DNS Edge) will continue to function as normal.

On the back-end, BlueCat provides full compliance from an authoritative dns perspective. BlueCat is not yet removing the workarounds from the recursive perspective. Even if third party DNS systems that your enterprise relies on are not compliant, BlueCat will continue to resolve the answer. We plan to leave the workarounds in place for at least one year.

Note: BlueCat cannot guarantee that other DNS servers, firewalls and load balancers within your intranet, or the internet, won’t disrupt normal DNS query flows.  We strongly suggest that you validate your architectures before February 1 to assure normal operations after the changeover occurs.

The DNS Flag Day website includes a testing tool that lets you see whether a domain is affected by these changes.  DNS Flag Day’s EDNS compliance tester does not provide any details to help identify the source of an issue or its potential impact. However, the site links to a more informative ISC site that includes more details.  The specific tool used to run the validation can be downloaded and executed locally and ISC also provides guidance on running the validation manually with dig.

During numerous validation tests with customers, we found that testing can identify issues that are not directly related to the DNS server.  For instance, network delays or rate limiting policies can incorrectly be flagged as EDNS compliance issues. We advise customers to validate the results using UDP packets larger than 512 bytes for network routes that include BlueCat DNS servers.

This ISC blog has additional recommendations which can help administrators identify the source of potential issues.  In particular, we recommend checking the configurations of network appliances such as F5 and Checkpoint products. Both have published articles with guidance (F5 here, Checkpoint here) on how to address potential concerns.