[dns-operations] EDNS flag day
petr.spacek at nic.cz
Wed Aug 8 10:02:22 UTC 2018
On 8.8.2018 11:26, Tony Finch wrote:
> Petr Špaček <petr.spacek at nic.cz> wrote:
>> Hopefully these authoritatives will get fixed during https://dnsflagday.net/
> I'm a bit puzzled about how this is going to work.
> I kind of expected that the major resolvers would release code to
> implement the flag day this year, so there is plenty of time for it to be
> widely deployed so that the big event actually happens; but I haven't
> noticed any sign of that. On the other hand the plan might be that
> resolvers released after the flag day would have the workarounds removed,
> but this will create a massive disincentive for resolver operators to
> upgrade because they will be blamed for the breakage not the authoritative
> servers - last thing to change gets the blame.
Future is not written yet, stay tuned ;-)
Speaking of breakage faced by operators ... Maybe almost nobody will
notice. Let's have a look at .CZ:
- about 7.76% of domains is totally broken even *before* the flag day
- flag day adds 0,4% of domains which will break, which is not very much
when compared with breakage we already have.
Typically this new breakage is caused by small number of providers: 60%
of the DNS flag day breakage in .CZ is caused by two operators. We are
reaching out to those. Needless to say that the list of potentially
broken domains contains very small number of domains which are not small
weird web sites...
So yes, I certainly agree that it provides some disincentive for upgrade
but over time (as CVEs accumulate ;-) stuff will get upgraded. Of course
there is some risk of forking, maybe someone is willing to maintain
resolvers instead of people who support this effort ... I'm curious
about this myself!
For the record there are some code changes already, e.g.
- PowerDNS: https://github.com/PowerDNS/pdns/pull/6628
- BIND 9.13.3 should have these removed:
- Knot Resolver did not contain most of workarounds from the beginning.
- Unbound is on the list of supporters as well, stay tuned.
Besides "traditional" resolver operators our list of supporters
has some of the big resolver operators as well and these can "flip
switch" once they decide. Hopefully more support is coming ...
It is hard but I think we have significant chance of success.
Petr Špaček @ CZ.NIC
More information about the dns-operations