What will happen on February 1, 2020?
TL; DR: starting from February 2020, DNS servers that do not support processing DNS requests over both UDP and TCP may stop working.
This is a continuation of the post “What-What Happens on February 1?” Dated January 24, 2019. The reader is recommended to briefly read the first part of the story in order to understand the context.
Bangkok, in general, is an amateur place. Of course, there is warm, cheap, and the kitchen is interesting, and half of the world's population do not need to get a visa there in advance , but you still need to get used to the smells, and the city streets force you to recall the cyberpunk classics at best.
')
In particular, the landscape on the left is observed not far from the center of the capital of Thailand, one street from the Shangri-La hotel, where the 30th meeting of the DNS-OARC organization, a non-profit organization dedicated to security, stability and development of the DNS domain name system, took place on May 12-13. .
Slides from the DNS-OARC 30 program are recommended in principle to anyone who is interested in the work of the DNS, but the most interesting, perhaps, is what was not in the slides. Namely, a 45-minute round table with a discussion of the results of DNS Flag Day, which occurred on February 1, 2019.
And the most interesting thing in the round table is the decision that the practice of DNS Flag Day will continue .
As shown by various studies , the effect of the first DNS Flag Day has been reduced to a minimum. Yes, for someone, the adaptation process could become painful , but in the end, almost all outdated DNS servers were updated, and incorrectly configured firewalls were configured correctly.
Accordingly, the organizers of Flag Day perceive the incident as a great victory and, inspired by the success, are not going to stop there.
During the round table, the following tasks were discussed, which the upcoming “flag days” could help accomplish:
Ultimately, the decision was made, which was announced at the RIPE 78 plenary meeting simultaneously with the publication of this post.
Again: from February 2020, DNS servers that do not support processing DNS requests over both UDP and TCP may stop working.
The exact date, however, has not yet been determined. Most likely, it will be February 1, but the day can be changed. However, according to the organizers of the DNS Flag Day 2020 (and these are the same individuals and companies as this year), nine months for the implementation of TCP support in existing DNS installations are sufficient, so it hardly makes sense to postpone the event.
Today, TCP in DNS is generally supported.
The operation of the domain name system using TCP is needed for a number of reasons:
On the client side, DNS over TCP has been supported for a long time by almost any stub resolver, including Windows.
In fact, DNS over TCP has long been optional. As Mark Andrews notes , the developer of the Bind DNS server, RFC 1123 (published in 1989) made it possible not to implement the processing of DNS queries and responses over TCP only if the server operator understands the consequences and is able to support the full functionality of the DNS protocol without TCP. To date, the latter is simply impossible.
An analysis of 34 million domains out of 59 TLDs shows that the requirement to use TCP today leads to problems in approximately 7% of domains. For comparison, in November 2018 - 3 months before the first DNS Flag Day - problems with EDNS had 5.68% of tested sites.
Of these 7%:
Flag Day organizers have reached a consensus that thousands of operators that make up the DNS community should no longer pay for crutches for a couple of dozen companies that are not updating their servers.
An important point, like last time, can be consequences not only for owners of DNS servers, but also for network administrators who block access to port 53 / TCP on the firewall.
By February 2020, access via port 53 / TCP to DNS servers should work .
Of course, the Flag Day organizers will update their site and add DNS Flag Day 2020 information and utilities to check any domains for compliance with 2020 requirements.
Do not forget to carry out such a check before the end of the year, in order to make sure that you have no problems.
Libor Peltan from CZ.NIC will talk in detail about the plans of DNS Flag Day 2020 at the upcoming meeting of the Eurasian group of network operators ENOG in Tbilisi on June 3-4. The translation with translation into Russian will be available in real time on the site, in the same place (and in the ENOG Talk Telegram-chat) you can ask questions.
You can also follow what's happening on Twitter .
DNS Flag Day 2021 will most likely be planned on a similar schedule, starting with DNS-OARC 32 in the spring of 2020. Applications for crutches, which should have been buried long ago, are accepted and collected on Github .
This is a continuation of the post “What-What Happens on February 1?” Dated January 24, 2019. The reader is recommended to briefly read the first part of the story in order to understand the context.
Bangkok, in general, is an amateur place. Of course, there is warm, cheap, and the kitchen is interesting, and half of the world's population do not need to get a visa there in advance , but you still need to get used to the smells, and the city streets force you to recall the cyberpunk classics at best.')
In particular, the landscape on the left is observed not far from the center of the capital of Thailand, one street from the Shangri-La hotel, where the 30th meeting of the DNS-OARC organization, a non-profit organization dedicated to security, stability and development of the DNS domain name system, took place on May 12-13. .
Slides from the DNS-OARC 30 program are recommended in principle to anyone who is interested in the work of the DNS, but the most interesting, perhaps, is what was not in the slides. Namely, a 45-minute round table with a discussion of the results of DNS Flag Day, which occurred on February 1, 2019.
And the most interesting thing in the round table is the decision that the practice of DNS Flag Day will continue .
Problems, officer?
As shown by various studies , the effect of the first DNS Flag Day has been reduced to a minimum. Yes, for someone, the adaptation process could become painful , but in the end, almost all outdated DNS servers were updated, and incorrectly configured firewalls were configured correctly.Accordingly, the organizers of Flag Day perceive the incident as a great victory and, inspired by the success, are not going to stop there.
During the round table, the following tasks were discussed, which the upcoming “flag days” could help accomplish:
- Support for negotiation of the EDNS version on public DNS servers;
- Support for rANdoMizIiI capital and lowercase characters in DNS queries to increase the entropy contained in the requests and responses;
- DNS over TCP support on DNS servers (both authoritative and recursive);
- The implementation of RFC 8020 , which instructs recursive resolvers to stop accessing the domain and all its subdomains if they receive a response of type NXDOMAIN;
- Lack of IPv6 support, etc.
Ultimately, the decision was made, which was announced at the RIPE 78 plenary meeting simultaneously with the publication of this post.
Again: from February 2020, DNS servers that do not support processing DNS requests over both UDP and TCP may stop working.
The exact date, however, has not yet been determined. Most likely, it will be February 1, but the day can be changed. However, according to the organizers of the DNS Flag Day 2020 (and these are the same individuals and companies as this year), nine months for the implementation of TCP support in existing DNS installations are sufficient, so it hardly makes sense to postpone the event.Over tcp
Today, TCP in DNS is generally supported.
The operation of the domain name system using TCP is needed for a number of reasons:
- Delivery of responses that are larger than the path MTU , without using unreliable IP fragmentation;
- DNSSEC support;
- Fighting DDoS attacks, etc.
On the client side, DNS over TCP has been supported for a long time by almost any stub resolver, including Windows.In fact, DNS over TCP has long been optional. As Mark Andrews notes , the developer of the Bind DNS server, RFC 1123 (published in 1989) made it possible not to implement the processing of DNS queries and responses over TCP only if the server operator understands the consequences and is able to support the full functionality of the DNS protocol without TCP. To date, the latter is simply impossible.
An analysis of 34 million domains out of 59 TLDs shows that the requirement to use TCP today leads to problems in approximately 7% of domains. For comparison, in November 2018 - 3 months before the first DNS Flag Day - problems with EDNS had 5.68% of tested sites.
Of these 7%:
- 90% of the problems associated with the work of authoritative servers of 10 companies;
- 68% of problems are locked on the servers of one single company - the Chinese operator Hichina;
- Together with other problem Chinese providers - AliDNS and Xinnet - this share is already 72%;
- Half of the list also had problems with EDNS in November 2018, but successfully solved them.
Flag Day organizers have reached a consensus that thousands of operators that make up the DNS community should no longer pay for crutches for a couple of dozen companies that are not updating their servers.
An important point, like last time, can be consequences not only for owners of DNS servers, but also for network administrators who block access to port 53 / TCP on the firewall.
By February 2020, access via port 53 / TCP to DNS servers should work .
And then what?
Of course, the Flag Day organizers will update their site and add DNS Flag Day 2020 information and utilities to check any domains for compliance with 2020 requirements.
Do not forget to carry out such a check before the end of the year, in order to make sure that you have no problems.
Libor Peltan from CZ.NIC will talk in detail about the plans of DNS Flag Day 2020 at the upcoming meeting of the Eurasian group of network operators ENOG in Tbilisi on June 3-4. The translation with translation into Russian will be available in real time on the site, in the same place (and in the ENOG Talk Telegram-chat) you can ask questions.
You can also follow what's happening on Twitter .
DNS Flag Day 2021 will most likely be planned on a similar schedule, starting with DNS-OARC 32 in the spring of 2020. Applications for crutches, which should have been buried long ago, are accepted and collected on Github .
Source: https://habr.com/ru/post/452816/
All Articles