Over past years, various DNS software developers tried to solve the problems with the interoperability of the DNS protocol and especially its EDNS extension (RFC 6891 standard), by temporary workarounds, which aimed to lend their software an ability to temporarily accept various non-standard behaviors. Unfortunately, time has shown that this attitude of adding temporary workarounds is not a long-term solution, especially because the implementations not fully complying with standards were seemingly functional and there was no reason for a permanent fix. The result of these makeshift solutions is their accumulation in the DNS software, leading to a situation where there are so many of them that they themselves begin to cause problems. The most obvious problem is slower response to DNS queries and the impossibility to deploy new DNS protocol feature called DNS Cookies, which would help reduce DDoS attacks based on DNS protocol abuse.
An important change
To prevent further deterioration of DNS services for their users and operators, we decided, together with a group of DNS software developers, to coordinate the discontinuation of support of some non-standard solutions, that is of implementations not compliant with the RFC 6891 standard. All new releases of DNS software from CZ.NIC, ISC, NLnetlabs, and PowerDNS after February 1, 2019 will not contain code for the workaround of non-compliance problems with EDNS standard RFC 6891.
Knot Resolver by CZ.NIC has been standard-compliant from the beginning and its default configuration does not try to work around incompatibilities caused by not complying with these standards. However, it is very important to check your servers to ensure compatibility with software by other standard-complying developers.
Test your domains and servers
You can test your domains and authoritative DNS servers using the web application https://ednscomp.isc.org/ednscomp/. A test result with a green message “All Ok” indicates that you are already prepared for the changes and do not need to do anything. If the result of the test is anything else than the green message “All Ok”, please update your DNS software. If you are using the latest version of your server software, please contact its developer and ask for a fix. In this case, we recommend attaching a link to the test result, which contains technical details, to your message.
Note to DNS software vendors
Please note that full EDNS support (RFC 6891) in DNS software is not mandatory as all vendors listed above are keeping support for implementations which decided not to implement EDNS in accordance with current standards. Main change in protocol implementation is that non-standard behavior will not be supported anymore.
In case you decide not to support EDNS it is mandatory to correctly answer queries with EDNS in accordance with RFC 6891 section 7, i.e. namely to answer with valid DNS message containing RCODE=FORMERR. Please follow the RFC mentioned above while implementing this. Thank you!
Last but not least
Domains served by DNS servers that, according to the above mentioned tests, are not compliant with the standard, will not function reliably after February 1, 2019, and may become unavailable.
We are aware of the importance of this change and we want to inform as many people as possible. We are going to keep drawing attention to this change, which will begin to apply in less than a year. If you have the ability to spread this information to people who are in charge of networks and DNS servers, we will be glad if you shared the link to this blog post. Our goal is a reliable and properly functioning DNS that cannot be easily attacked.