A concerted effort to refine the way the internet looks up online resources went smoothly recently, paving the way for a faster, more secure online environment.
DNS Flag Day, an internet-wide event which took place in February, saw several large vendors and internet service providers update the way they query other computers participating in the domain name service (DNS) system.
The big change concerned Extension Mechanisms to DNS (EDNS), a standard ratified in 1999 that enabled software developers to add more features into DNS queries. DNSSec, a technology that protects against domain spoofing, relies on EDNS to work.
Even though EDNS became a standard two decades ago, there were still some DNS implementations that didn’t support it properly. Software developers had created workarounds to cope when talking to those non-compliant systems, but they made DNS more complex. They often meant slower responses to DNS queries and made it harder to deploy new DNS features.
Traditionally, DNS software that supported EDNS would send an EDNS query to another DNS server. If that server didn't respond at all, then the compliant software would eventually timeout and disable EDNS before communicating again. This approach slows down DNS responses, because a compliant server must wait for a non-compliant server to timeout before adjusting its approach.
To fix the problem, the developers of four well-known open-source DNS programs – CZ.NIC, ISC, NLnetlabs and PowerDNS – decided to cut out support for non-standard versions altogether. This decision assumed that if they were not sending proper responses to EDNS queries then a DNS name server shouldn’t be considered legitimate and so wasn’t worth talking to.
After Friday February 1, these four vendors configured their programs to treat any EDNS software that didn’t respond to EDNS queries as dead. It is still possible not to support EDNS, as long as a server sends a response that explains that in a standard-compliant way. In lay terms, name servers must simply be polite and not ignore EDNS requests altogether.
The move was a big deal for any domains using non-compliant DNS software, as it could have rendered them inaccessible. US-CERT put out an advisory about it.
So, how did the big day go? Thankfully, it wasn’t a DNS-apocalypse. According to the Internet Systems Consortium (ISC), which was instrumental in promoting the event, the number of domains with EDNS compliance issues fell dramatically in the weeks leading up to the big day.
“We were already at >96% success on these basic tests at the beginning of 2017, but fixing the last few percentage points was going very slowly,” it said. “That accelerated sharply in January.”
Companies including Microsoft, Citrix, Google and DNS provider Dyn supported the move by checking and updating their servers as part of the event. Microsoft said that all its Azure servers would be available on and after DNS Flag Day. Google Public DNS, which provides public DNS resolution services, said that “A small number of domains” might be unreachable for customers after it removed its workarounds. “Name servers that do not support EDNS, but send an error response of almost any kind” would still be supported, it said.
The topic of Governance, Risk and Compliance will be covered throughout the free-to-attend conference at Infosecurity Europe in London from 4-6 June. See all the talks on Governance, Risk and Compliance here. Infosecurity Europe is the leading European event for information and cyber security; find out more and secure your free visitor badge.
