DNS Flag Day: Guidance for BlueCat Users

BY Ben Ball

As the features, functionality, and services of DNS continue to grow, the protocol is becoming more complex.  While we all reap the benefits of these changes, there is a cost as well.  Latency, instability, and development challenges are gradually creeping into the DNS protocol as it starts to get the attention we at BlueCat believe it truly deserves.

EDNS and its detractors

Extension mechanisms for DNS (EDNS) were created to mitigate some of these challenges with the DNS protocol.  In a nutshell, EDNS adds new capacity to DNS which allows it to support additional functionality. 

Up to this point, support for EDNS has not been uniform across service providers and products.  Workarounds kept services up and running, but introduced problems of their own.  Over time, the technical costs became untenable.

This is why a number of companies which provide DNS software and DNS services are ending support for EDNS workarounds.  The companies designated February 1, 2019 as DNS Flag Day. The website for this campaign includes a test that lets you see whether your domain is affected by these changes.

What BlueCat customers need to know

BlueCat is fully prepared for DNS Flag Day.  BlueCat DNS Servers (both DNS Integrity and DNS Edge) will continue to function as normal. 

On the back-end, BlueCat provides full compliance from an authoritative perspective. BlueCat is not yet removing the workarounds from the recursive perspective. This means that even if third party DNS systems that your enterprise relies on are not compliant, BlueCat will continue to resolve the answer. We plan to leave the workarounds in place for at least one year.

It is important to note, however, that BlueCat cannot guarantee that other DNS servers, firewalls and load balancers within your intranet or the internet won’t disrupt normal DNS query flows.  We strongly suggest that you validate your architectures before February 1 to assure normal operations after the changeover occurs. 

The Flag Day website includes a test that lets you see whether a domain is affected by these changes.  That test does not provide any details which would help to identify the source of an issue or its potential impact. However, the site links to a more informative ISC site that includes more details.  The specific tool used to run the validation can be downloaded and executed locally and ISC also provides guidance on running the validation manually with dig.

During numerous validation tests with customers, we found that testing can identify issues that are not directly related to the DNS server.  For instance, network delays or rate limiting policies can incorrectly be flagged as EDNS compliance issues. We advise customers to validate the results using UDP packets larger than 512 bytes for network routes that include BlueCat DNS servers.

This ISC blog has additional recommendations which can help administrators identify the source of potential issues.  In particular, we recommend checking the configurations of network appliances such as F5 and Checkpoint products - both have published articles with guidance (F5 here, Checkpoint here) on how to address potential concerns.

Flag Day 2020 update:  While the Flag Day 2020 requirements are not yet finalized, BlueCat has determined from the initial guidance that any changes to its products will be relatively minor.  When EDNS buffer requirements are set, BlueCat will post additional guidance about the timing of a patch.

BlueCat Customer Care is available to address any concerns surrounding DNS Flag Day.  Feel free to contact us with any questions you might have.

Ben Ball

Ben Ball is the Director of Strategy and Content Marketing at BlueCat. Ben served for ten years as a Federal employee, with three tours as a Foreign Service Officer (Saudi Arabia, Turkey, Jordan), and five years at the Department of Homeland Security, where he focused on immigration issues. A graduate of the Fletcher School of Law and Diplomacy and Pitzer College, Ben lives in the San Francisco Bay Area.

View more articles by Ben Ball