DNS Flag Day 2020

Alexander Dupuy alexdupuy at google.com
Fri Feb 7 15:09:08 UTC 2020

In our analysis of the impact on Google Public DNS if it limits EDNS UDP
buffer size to 1232 for all queries, we identified common types of affected
queries/responses and hope to share statistics on their frequency in our
authoritative name server query logs, as the data may be of interest to

We're also looking for other ways to share aggregated versions of DNS Flag
Day 2020 impact data. In particular, we are looking for a Flag Day
participant interested in applying this data to enhance the
https://dnsflagday.net/2020/#how-to-test authoritative DNS checker. The ISC
EDNS Compliance Tester it currently uses can send UDP and TCP queries to
the name servers for a domain, but there's no reliable way to elicit large
responses for an arbitrary domain or name server address. With aggregated
data on observed truncation, the checker could give results for name
servers without requiring a domain, indicating whether particular name
servers had:

   - sent responses larger than the offered UDP buffer size
   - sent responses larger than 1232 bytes
   - sent successful responses to TCP queries
   - sent truncated responses to UDP queries with buffer size 1232
   - broken out by QTYPE, positive/negative/referral responses, and DNSSEC

Many of the truncated responses we see are DNSSEC-signed negative
responses, including insecure delegation referral responses from
DNSSEC-signed TLDs, whose operators may find this information useful. Even
if the resolution completes successfully, the extra round trips required
for TCP can increase latencies, and migration to elliptic curve algorithms
can reduce response sizes to avoid that impact.

Additionally, for larger operators concerned about a potential increase in
TCP query traffic, and who want to verify their capacity to handle higher
levels of such traffic, Google Public DNS can temporarily designate one of
their name servers for "TCP first" resolution, sending queries on TCP
first, and only falling back to UDP on connection resets or query timeouts.

These activities are in support of DNS Flag Day 2020, but are apart from
any implementation schedule or commitments for Flag Day by Google. If you
or your organization might be interested in either of these, you can reply
on-list or contact us directly by e-mail. The tech lead for Google Public
DNS, Puneet Sood, will be at DNS-OARC in SF this weekend, so there is also
the possibility to discuss in person if you will be there too.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20200207/b07eb34e/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3856 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20200207/b07eb34e/attachment.bin>

More information about the dns-operations mailing list