Google Public DNS participation in DNS Flag Day
Alex Dupuy
This coming Friday, February 1, 2019, is the first ever DNS Flag Day, a global initiative to promote EDNS (Extension Mechanisms for DNS). EDNS allows larger UDP responses and is necessary for DNSSEC (DNS Security Extensions). DNS Flag Day participants are going to remove workarounds for DNS servers that silently drop EDNS queries and break the DNS protocol. The workarounds for such broken servers reduce EDNS use with servers that do support EDNS.
On DNS Flag Day, open source DNS software vendors are releasing updates without these workarounds. At the same time, public DNS resolvers like Google Public DNS are also removing these workarounds from their services. Removing the workarounds may make a small number of domains with these broken name servers unreachable for some users.
Google Public DNS is running limited tests without the workarounds, and on February 1, removing them in selected locations. We’ll post a follow up here with specifics when that happens. Removing them everywhere should be complete in a week or two if there are no major problems. For domains queried through Google Public DNS more than a thousand times a day, less than a dozen might break when removing the workarounds. If your domain breaks, you can report it on our issue tracker and check the dnsflagday.net website for technical advice.
You can check the impact of DNS Flag Day changes with the ISC EDNS Compliance Tester. Enter your domain (without www or any other subdomain) into the Zone Name field and click the Submit button. If DNS Flag Day changes could break your domain it shows edns=timeout, like this:
flagday.rootcanary.net. @68.183.9.91 (ams3.do.rootcanary.net.): dns=ok edns=timeout edns1=timeout edns@512=timeout ednsopt=timeout edns1opt=timeoutdo=timeout ednsflags=timeout docookie=timeout edns512tcp=eof optlist=timeout
The best results are =ok for all tests (like this example), but as long as a domain's name servers don't have edns=timeout, they will still work after DNS Flag Day. This minimal level of EDNS support has delays when DNS resolvers sending EDNS have to resend queries without EDNS. For this reason we strongly recommend working to get to full EDNS compliance (all tests =ok) to prevent other problems in the future.
Alex Dupuy
We have removed the workarounds for some of our resolvers throughout the world, and starting on Monday we will continue to remove the workarounds from more resolvers, until we have removed the workarounds for all our resolvers. We will post another update when that is complete.
Name servers that do not support EDNS, but send an error response of almost any kind (NXDOMAIN is not included) are still supported, and Google Public DNS will stop sending them EDNS, if non-EDNS versions of the same queries get successful responses.