EDNS, short for Extension Mechanisms for DNS, is defined in RFC 6891 an extension to the DNS protocol, for the exchange of information between clients (resolvers) and servers. Although EDNS has various functions, its primary purpose was originally to enable support for DNSSEC, which provides cryptographic security for the DNS infrastructure.
EDNS was intended to be backward compatible, meaning that it shouldn't have any adverse impact on the performance of older servers that don't support it, i.e. know nothing about it. In practice, however, so many servers turned out to be unable to work with EDNS that resolver software developers felt obliged to add all sorts of workarounds to their code to enable clients and servers to continue communicating with one another. An EDNS-compliant server is therefore one that supports the EDNS extension or is capable of ignoring it in accordance with the specification.
DNS Flag Day
DNS Flag Day marks the end of the policy of tolerating and accommodating non-compliance. "It's now twenty years since EDNS came in," says Peter van Dijk, Senior Engineer at PowerDNS: the company that makes the Authoritative Server and Recursor software of the same name, and one of the organisers of DNS Flag Day. "The workarounds have a major impact on the performance of our resolver," he adds. The situation is aggravated by the fact that the DNS is much more complex than it used to be. That makes software development and maintenance more difficult, with knock-on implications for the stability of the infrastructure and the diversity of the ecosystem.
"Nearly a quarter of our code is there to facilitate workarounds and corner cases," confirms Benno Overeinder, CEO of NLnet Labs, responsible for the development of the Unbound resolver. "The flag day opens the way for us to clean up our DNS software and make sure it stays maintainable."
Other software developers supporting DNS Flag Day are ISC (BIND) and CZ.NIC (Knot). Both organisations have agreed to bring out at least one strict version of their software on 1 February or soon after. The first strict releases of the various programs are as follows:
- BIND 9.13.3 (development) and 9.14.0 (production)
- Knot Resolver (all recent versions)
- PowerDNS Recursor 4.2.0
- Unbound 1.9.0
DNS Flag Day is also backed by the main providers of public DNS services: Cisco (OpenDNS), Cloudflare (220.127.116.11), Google (Public DNS), Quad9 (18.104.22.168) and CleanBrowsing. Consequently, users who can't reach certain domain names after 1 February won't be able to get around the problem by switching to a public DNS service. Industry-wide support for the Flag Day is expected to place irresistible pressure on DNS server operators to comply with EDNS.
Nevertheless, defective DNS servers won't immediately become unreachable after 1 February. Large-scale access and use of service providers mean that software updates are likely to take some time to propagate.
Listing all the DNS servers and versions that'll be affected by the change is well-nigh impossible: the landscape is far too complex. For example, problems may be caused by an intermediate firewall or load balancer. However, PowerDNS anticipates issues mainly for old, proprietary systems.
Work by SIDN Labs suggests that, out of the entire portfolio of 5.8 million .nl domains, about 11,500 (0.2 per cent) are liable to be affected. Research Engineer Moritz Müller believes that the vast majority of the domains in question are parked. Of the .nl domain names in the Alexa top million, only fifteen are at risk.
"We'll be proactively approaching the operators of high-profile domain names this week," says Müller. "Here at SIDN Labs, we'll also be checking to see whether any particular registrars and operators have large numbers of domain names that are likely to be hit. If so, we'll get in touch with them as well."
Test your name server
It's therefore important that domain name servers are tested for EDNS compliance very soon. To do that, a registrant or operator can visit the DNS Flag Day homepage and use ISC's EDNS Compliance Tester to check their domain name (or, more precisely, its name server). The tool that the on-line tester is based on, ednscomp, is also available as open-source software. CZ.NIC's EDNS Zone Scanner can be used for bulk testing of domains.
If the test results show that your domain is on a non-compliant DNS server, you need to contact the operator urgently. If the relevant system isn't brought into compliance by 1 February, there's a risk that your domain name will, in the long term, become unreachable for many internet users.