This is archive version of page describing event which ended in February 2019. Information relevant for today can be found on main page dnsflagday.net.
What is happening?
The current DNS is unnecessarily slow and inefficient because of efforts to accommodate a few DNS systems that are not in compliance with DNS standards established two decades ago.
To ensure further sustainability of the system it is time to end these accommodations and remediate the non-compliant systems. This change will make most DNS operations slightly more efficient, and also allow operators to deploy new functionality, including new mechanisms to protect against DDoS attacks.
DNS software and service providers listed on this site have agreed to coordinate removing accommodations for non-compliant DNS implementations from their software or services, on or around February 1st 2019. This change will affect only sites operating non-compliant software.
For more information select the group you belong to:
- I’m an Internet user, without my own domain
- I’m a domain holder
- I’m a DNS administrator
- I’m a DNS expert (DNS software developer, research, etc.)
I’m an Internet user
There is no reason to worry if you are an Internet user without your own domain name. This change is affecting you only indirectly and you do not need to take any other steps. Thank you for your interest in DNS!
I’m a domain holder
If you are a domain holder, please use the form below to check if your domain is ready for the planned change. Your test result will include advice on any further steps that may be necessary.
Please note it is only necessary to validate one zone if you have multiple zones on the same server or cluster of servers. See technical details of tests for more information.
I’m a DNS administrator
The impact of the scheduled change to the client side of DNS is described in the section for DNS resolver operators. A small percentage of authoritative servers might require changes described below. Further down we list technical details of tests and tools for experts.
DNS resolver operators
On or around Feb 1st, 2019, major open source resolver vendors will release updates that will stop accommodating non-standard responses. This change will affect authoritative servers which do not comply either with the original DNS standard from 1987 (RFC1035) or the newer EDNS standards from 1999 (RFC2671 and RFC6891). Major public DNS resolver operators listed below are also removing accommodations so this change will also impact Internet users and providers who use these public DNS services.
Sites hosted on incompatible authoritative servers may become unreachable through updated resolvers. The web form above diagnostic tool may be helpful while investigating problems with a particular domain. Domains which repeatedly fail the test above have problems with either their DNS software or their firewall configuration and cannot be fixed by DNS resolver operators.
The following versions of DNS resolvers will not accommodate EDNS non-compliant responses:
- BIND 9.13.3 (development) and 9.14.0 (production)
- Knot Resolver has already implemented stricter EDNS handling in all current versions
- PowerDNS Recursor 4.2.0
- Unbound 1.9.0
DNS server operators
After February 1st 2019 major public DNS resolver operators listed below will disable work arounds for standards non-compliance. This change will affect domains hosted on authoritative servers which do not comply either with original DNS standard from 1987 (RFC1035) or the newer EDNS standards from 1999 (RFC2671 and RFC6891). Non-compliant domains may become unreachable through these services.
We advise you to take the following preparatory steps to avoid operational problems:
- Test your authoritative servers using test form above. It is sufficient to test a single DNS zone hosted on a particular set of authoritative servers. (If any single zone on the server passes the test, that is sufficient, because the test is not dependant on the content of the zone.)
- Random network instability can affect test results. Part of the problem is in interpreting timeouts, which can be caused by unresponsive DNS software, a firewall blocking the response, or packet loss on the Internet. If a problem is reported please retry the test.
- If the tested domain fails the test, please update your DNS software to the latest stable version and repeat the test. If the tests are failing even after the DNS software update please check your firewall configuration.
- Firewalls must not drop DNS packets with EDNS extensions, including unknown extensions which follow the standards.
Relevant information from vendors can be found here:
- efficient iP
- F5 BIG-IP
- Juniper: Older versions of the Juniper SRX will drop EDNS packets by default. The workaround is to disable DNS doctoring via
# set security alg dns doctoring none. Upgrade to latest versions for EDNS support.
- Microsoft Azure, Microsoft DNS
- Pulse Secure
If the problem persists after DNS software and firewall updates please contact your firewall vendor and request fixes.
Your domain name may include
www.domainname.com; or it may not, e.g.
domainname.com. If you are not sure, we suggest that you test both. Names that are not DNS zones will report that this was the most likely reason for the test failure; this is not a cause for concern.
The test form above uses hosted ednscomp, which is a low-capacity service for ad-hoc checks only. If you need to send bulk queries, you must use tools linked below to run your own test instances. Please do not attempt to automate queries using this web site, an excessive use will be rate-limited or blocked.
Obtaining detailed test results
The test form above uses ednscomp for individual technical tests, and these partial results are summarized into an aggregate result by the web application.
It is also possible to test your DNS servers directly using the tool ednscomp which displays a more detailed technical report. Simply enter the name of a zone hosted on your DNS servers into the
zone name field and click the
The summary result of ednscomp tests should ideally be a green message
Minimal working configuration
The minimal working setup which will allow your domain to survive 2019 DNS flag day must not have a
timeout result in any of the plain DNS and EDNS version 0 tests implemented in the ednscomp tool. Failures of the EDNS(1) tests will not cause any immediate problem.
Please note that this minimal compliance is still not full compliance and will cause other issues sooner or later. For this reason we strongly recommend you to work towards full EDNS compliance (all tests
ok) instead of doing just the minimum.
If there is a problem, the ednscomp tool displays an explanation for each failed test. Failures in these tests are typically caused by:
- broken DNS software
- broken firewall configuration
Firewalls must not drop DNS packets with EDNS extensions, including unknown extensions. Modern DNS software may deploy new extensions (e.g. DNS cookies to protect from DoS attacks). Firewalls which drop DNS packets with such extensions are making the situation worse for everyone, including worsening DoS attacks and inducing higher latency for DNS traffic.
I’m a DNS expert
DNS software developers
The main change is that DNS software from vendors named above will interpret timeouts as sign of a network or server problem. Starting February 1st, 2019 there will be no attempt to disable EDNS in reaction to a DNS query timeout.
This effectively means that all DNS servers which do not respond at all to EDNS queries are going to be treated as dead.
Please test your implementations using the ednscomp tool to make sure that you handle EDNS properly. Source code for the tool is available as well.
It is important to note that EDNS is still not mandatory. If you decide not to support EDNS it is okay as long as your software replies according to EDNS standard section 7.
In other words, software which correctly implements the original DNS standard RFC1035 from 1987 does not require any changes. Only non-compliant software has to be fixed.
Researchers and other parties such as TLD operators might be interested in:
- EDNS compliance statistics generated by EDNS compliance test suite by ISC
- Presentations below
- Tools for mass scanning etc.
- RIPE 77: Will your DNS break in 2019? slides, video
- LOADAYS 2018: Is Your DNS Server Up-To-Date abstract, slides, video
- UKNOF 2019: DNS Flag Day and Beyond presentation
- DNS-OARC 29: A tale of five ccTLDs abstract, slides, video
- DNS-OARC 29: Estimating impact of the (E)DNS flag day abstract, slides, video
- DNS-OARC 28: First announcement abstract, slides, video
Researchers and other parties such as large DNS operators might be interested in:
- ISC EDNS Compliance tester, source code for testing all aspects of EDNS compliance
- EDNS zone scanner for mass scanning and evaluation of real-world impact of the DNS flag day by CZ.NIC
- Testing EDNS Compatibility with dig
Please read the respective methodologies before interpreting the data. In any case, do not hesitate to reach out to tool authors using links above.
- Please file comments regarding this web in dnsflagday repo on GitHub
- Comments regarding test results generated by this web or directly by ednscomp test tool belong to DNS Compliance Testing project in ISC GitLab