Soumettre la recherche
Mettre en ligne
DNS Flag Day and beyond - how will it affect you?
•
0 j'aime
•
194 vues
APNIC
Suivre
Presentation by Eddy Winstead at APRICOT 2019 on Thursday, 28 February 2019.
Lire moins
Lire la suite
Internet
Signaler
Partager
Signaler
Partager
1 sur 23
Recommandé
ION Tokyo: The Business Case for DNSSEC and DANE, Dan York
ION Tokyo: The Business Case for DNSSEC and DANE, Dan York
Deploy360 Programme (Internet Society)
NVMe over Fabrics Demystified
NVMe over Fabrics Demystified
Brad Eckert
ION Sri Lanka - DANE: The Future of TLS
ION Sri Lanka - DANE: The Future of TLS
Deploy360 Programme (Internet Society)
DNSTap Webinar
DNSTap Webinar
Men and Mice
Open Mic Webcast: What's New in IBM Notes Traveler 9
Open Mic Webcast: What's New in IBM Notes Traveler 9
Patrice Vialor
Supercharged Notes 10 Upgrade: Turning the Worst Notes Deployments into the Best
Supercharged Notes 10 Upgrade: Turning the Worst Notes Deployments into the Best
Christoph Adler
Supercharged Notes 10 Upgrade
Supercharged Notes 10 Upgrade
Jared Roberts
EDNS (in)Compatibility: Adventures in Protocol Extension
EDNS (in)Compatibility: Adventures in Protocol Extension
APNIC
Recommandé
ION Tokyo: The Business Case for DNSSEC and DANE, Dan York
ION Tokyo: The Business Case for DNSSEC and DANE, Dan York
Deploy360 Programme (Internet Society)
NVMe over Fabrics Demystified
NVMe over Fabrics Demystified
Brad Eckert
ION Sri Lanka - DANE: The Future of TLS
ION Sri Lanka - DANE: The Future of TLS
Deploy360 Programme (Internet Society)
DNSTap Webinar
DNSTap Webinar
Men and Mice
Open Mic Webcast: What's New in IBM Notes Traveler 9
Open Mic Webcast: What's New in IBM Notes Traveler 9
Patrice Vialor
Supercharged Notes 10 Upgrade: Turning the Worst Notes Deployments into the Best
Supercharged Notes 10 Upgrade: Turning the Worst Notes Deployments into the Best
Christoph Adler
Supercharged Notes 10 Upgrade
Supercharged Notes 10 Upgrade
Jared Roberts
EDNS (in)Compatibility: Adventures in Protocol Extension
EDNS (in)Compatibility: Adventures in Protocol Extension
APNIC
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
APNIC
Managed dns webinar 2015 internap
Managed dns webinar 2015 internap
Internap
F5 Intelligent DNS Scale
F5 Intelligent DNS Scale
F5 Networks
F5 Networks Intelligent DNS Scale
F5 Networks Intelligent DNS Scale
F5 Networks
15 New Domino Admin Features Sure to Spark a Lasting Love Affair with Domino ...
15 New Domino Admin Features Sure to Spark a Lasting Love Affair with Domino ...
Christoph Adler
Building Resilient Applications with Cloudflare DNS
Building Resilient Applications with Cloudflare DNS
DevOps.com
The DNS of Things
The DNS of Things
Peter Silva
WinConnections Spring, 2011 - How to Securely Connect Remote Desktop Services...
WinConnections Spring, 2011 - How to Securely Connect Remote Desktop Services...
Concentrated Technology
Brkcol 2344 understanding-cisco_jabber_service_discovery__client_configuration
Brkcol 2344 understanding-cisco_jabber_service_discovery__client_configuration
Michael Ganschuk
Securing Apache Web Servers
Securing Apache Web Servers
webhostingguy
Securing Apache Web Servers
Securing Apache Web Servers
Information Technology
Running a Local Copy of the DNS Root Zone
Running a Local Copy of the DNS Root Zone
APNIC
BIND 9 logging best practices
BIND 9 logging best practices
Men and Mice
8 technical-dns-workshop-day4
8 technical-dns-workshop-day4
DNS Entrepreneurship Center
AdminCamp2019 - We love Domino V10 - 15 neue Domino-Admin-Features
AdminCamp2019 - We love Domino V10 - 15 neue Domino-Admin-Features
Christoph Adler
Tech sametime-deployment-enablement
Tech sametime-deployment-enablement
a8us
How to choose the right IPAM for your organization final
How to choose the right IPAM for your organization final
Michal Hrncirik
Jabber design and configuration
Jabber design and configuration
solarisyougood
Dell EMC OpenManage Enterprise - Automate & Orchestrate
Dell EMC OpenManage Enterprise - Automate & Orchestrate
Mark Maclean
Client Deployment of IBM Cloud Private (Think 2019 Session 5964A)
Client Deployment of IBM Cloud Private (Think 2019 Session 5964A)
Yong Feng
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119
APNIC
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
APNIC
Contenu connexe
Similaire à DNS Flag Day and beyond - how will it affect you?
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
APNIC
Managed dns webinar 2015 internap
Managed dns webinar 2015 internap
Internap
F5 Intelligent DNS Scale
F5 Intelligent DNS Scale
F5 Networks
F5 Networks Intelligent DNS Scale
F5 Networks Intelligent DNS Scale
F5 Networks
15 New Domino Admin Features Sure to Spark a Lasting Love Affair with Domino ...
15 New Domino Admin Features Sure to Spark a Lasting Love Affair with Domino ...
Christoph Adler
Building Resilient Applications with Cloudflare DNS
Building Resilient Applications with Cloudflare DNS
DevOps.com
The DNS of Things
The DNS of Things
Peter Silva
WinConnections Spring, 2011 - How to Securely Connect Remote Desktop Services...
WinConnections Spring, 2011 - How to Securely Connect Remote Desktop Services...
Concentrated Technology
Brkcol 2344 understanding-cisco_jabber_service_discovery__client_configuration
Brkcol 2344 understanding-cisco_jabber_service_discovery__client_configuration
Michael Ganschuk
Securing Apache Web Servers
Securing Apache Web Servers
webhostingguy
Securing Apache Web Servers
Securing Apache Web Servers
Information Technology
Running a Local Copy of the DNS Root Zone
Running a Local Copy of the DNS Root Zone
APNIC
BIND 9 logging best practices
BIND 9 logging best practices
Men and Mice
8 technical-dns-workshop-day4
8 technical-dns-workshop-day4
DNS Entrepreneurship Center
AdminCamp2019 - We love Domino V10 - 15 neue Domino-Admin-Features
AdminCamp2019 - We love Domino V10 - 15 neue Domino-Admin-Features
Christoph Adler
Tech sametime-deployment-enablement
Tech sametime-deployment-enablement
a8us
How to choose the right IPAM for your organization final
How to choose the right IPAM for your organization final
Michal Hrncirik
Jabber design and configuration
Jabber design and configuration
solarisyougood
Dell EMC OpenManage Enterprise - Automate & Orchestrate
Dell EMC OpenManage Enterprise - Automate & Orchestrate
Mark Maclean
Client Deployment of IBM Cloud Private (Think 2019 Session 5964A)
Client Deployment of IBM Cloud Private (Think 2019 Session 5964A)
Yong Feng
Similaire à DNS Flag Day and beyond - how will it affect you?
(20)
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Managed dns webinar 2015 internap
Managed dns webinar 2015 internap
F5 Intelligent DNS Scale
F5 Intelligent DNS Scale
F5 Networks Intelligent DNS Scale
F5 Networks Intelligent DNS Scale
15 New Domino Admin Features Sure to Spark a Lasting Love Affair with Domino ...
15 New Domino Admin Features Sure to Spark a Lasting Love Affair with Domino ...
Building Resilient Applications with Cloudflare DNS
Building Resilient Applications with Cloudflare DNS
The DNS of Things
The DNS of Things
WinConnections Spring, 2011 - How to Securely Connect Remote Desktop Services...
WinConnections Spring, 2011 - How to Securely Connect Remote Desktop Services...
Brkcol 2344 understanding-cisco_jabber_service_discovery__client_configuration
Brkcol 2344 understanding-cisco_jabber_service_discovery__client_configuration
Securing Apache Web Servers
Securing Apache Web Servers
Securing Apache Web Servers
Securing Apache Web Servers
Running a Local Copy of the DNS Root Zone
Running a Local Copy of the DNS Root Zone
BIND 9 logging best practices
BIND 9 logging best practices
8 technical-dns-workshop-day4
8 technical-dns-workshop-day4
AdminCamp2019 - We love Domino V10 - 15 neue Domino-Admin-Features
AdminCamp2019 - We love Domino V10 - 15 neue Domino-Admin-Features
Tech sametime-deployment-enablement
Tech sametime-deployment-enablement
How to choose the right IPAM for your organization final
How to choose the right IPAM for your organization final
Jabber design and configuration
Jabber design and configuration
Dell EMC OpenManage Enterprise - Automate & Orchestrate
Dell EMC OpenManage Enterprise - Automate & Orchestrate
Client Deployment of IBM Cloud Private (Think 2019 Session 5964A)
Client Deployment of IBM Cloud Private (Think 2019 Session 5964A)
Plus de APNIC
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119
APNIC
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
APNIC
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
APNIC
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
APNIC
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
APNIC
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
APNIC
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff Huston
APNIC
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
APNIC
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APNIC
Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6
APNIC
AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!
APNIC
CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023
APNIC
AFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet development
APNIC
AFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment Status
APNIC
AFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressing
APNIC
AFSIG 2023: APNIC - Registry & Development
AFSIG 2023: APNIC - Registry & Development
APNIC
Afghanistan IGF 2023: The ABCs and importance of cybersecurity
Afghanistan IGF 2023: The ABCs and importance of cybersecurity
APNIC
IDNIC OPM 2023: IPv6 deployment planning and security considerations
IDNIC OPM 2023: IPv6 deployment planning and security considerations
APNIC
IDNIC OPM 2023 - Internet Number Registry System
IDNIC OPM 2023 - Internet Number Registry System
APNIC
Plus de APNIC
(20)
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6
AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!
CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023
AFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet development
AFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment Status
AFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressing
AFSIG 2023: APNIC - Registry & Development
AFSIG 2023: APNIC - Registry & Development
Afghanistan IGF 2023: The ABCs and importance of cybersecurity
Afghanistan IGF 2023: The ABCs and importance of cybersecurity
IDNIC OPM 2023: IPv6 deployment planning and security considerations
IDNIC OPM 2023: IPv6 deployment planning and security considerations
IDNIC OPM 2023 - Internet Number Registry System
IDNIC OPM 2023 - Internet Number Registry System
Dernier
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
rehmti665
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
Fs
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhi
miss dipika
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
9953056974 Low Rate Call Girls In Saket, Delhi NCR
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptx
Dyna Gilbert
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
Fs
Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170
Sonam Pathan
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
9953056974 Low Rate Call Girls In Saket, Delhi NCR
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
Call Girls Lucknow
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
z xss
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
Fs
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
Fs
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Sonam Pathan
Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...
Excelmac1
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
soniya singh
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
zdzoqco
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
9953056974 Low Rate Call Girls In Saket, Delhi NCR
Git and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITM
gdsc13
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24
Paul Calvano
Magic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptx
MartaLoveguard
Dernier
(20)
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhi
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptx
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Git and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITM
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24
Magic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptx
DNS Flag Day and beyond - how will it affect you?
1.
© 2019 ISC DNS
Flag Day and beyond - how will it affect you? APRICOT2019 dnsflagday.net
2.
© 2019 ISC Most
transactions on the Internet start with a dialog like this: Resolver Authoritative Address for example.com? [flags] 93.184.216.34 [flags]
3.
© 2019 ISC Response
codes Resolver Authoritative NOERROR No Error FORMERR Format Error SERVFAIL Server Failure NXDOMAIN Non-existant Domain NOTIMP Not Implemented REFUSED Refused …. BADVERS Bad OPT version BADSIG TSIG signature failure BADKEY Key not recognized …
4.
© 2019 ISC Extension
Mechanisms for DNS ▪ Designed so that you can deploy any of the extension mechanisms in the client or server independent of requiring it to be supported at the other end. To do this EDNS(0) specified how to handle versions, flags and options that are unknown. ▪ * EDNS version -> response code BADVERS by server / ignored by client. ▪ * EDNS flag -> ignored by other end. ▪ * EDNS option -> ignored by other end.
5.
© 2019 ISC EDNS
is used for… ▪ UDP DNS messages over 512 bytes ▪ DNSSEC ▪ DNS Cookies ▪ Client-subnet identifier ▪ TBD
6.
© 2019 ISC Source:
https://ednscomp.isc.org/compliance/summary.html
7.
© 2019 ISC Specific
issues observed ▪ Firewalls blocked EDNS(1) ▪ Firewalls blocked the EDNS NSID option. ▪ Firewalls blocked reserved EDNS flags. ▪ Firewalls block fragmented responses. ▪ Load balancers drop fragmented responses. ▪ Load balancers mishandle ICMP PTB messages. ▪ Older Microsoft DNS software didn’t implement EDNS.
8.
© 2019 ISC Interpreting
Timeouts ▪ Network congestion ▪ DNS server failure ▪ Firewall or Load Balancer blocking EDNS traffic ▪ DNS server just doesn’t support EDNS
9.
© 2019 ISC ‘Workarounds’
for EDNS incompatibility problems ▪ retry without EDNS ▪ retry with TCP ▪ ….disabling EDNS is the main workaround
10.
© 2019 ISC Why
remove the workarounds? ▪ the workarounds slow down the DNS ▪ they make it harder to implement new features ▪ layers of exception handling complicate the DNS code and make it more fragile ▪ most of the DNS has been upgraded, and the remaining breakage seemed to be mostly parked domains
11.
© 2019 ISC Removing
workarounds on or after 1 Feb 2019 Source: https://dnsflagday.net/#supporters See also: https://github.com/dns-violations/dnsflagday
12.
© 2019 ISC Open
Source Flag Day version Notes BIND 9 9.13.6 9.14.0 PowerDNS 4.2 4.1 auth is fully compliant. 4.0 is compliant if you disable caching Knot Knot had no workarounds Run Knot 3.3.0 for best compliance Unbound 1.84, 1.90
13.
© 2019 ISC Product
updates BlueCat: https://www.bluecatnetworks.com/blog/dns-flag-day-is-coming-and-bluecat-is-ready/ Citrix: https://support.citrix.com/article/CTX241493 DNSimple: https://simpledns.com/news/78/simple-dns-plus-v-8-0-build-108-released-dns-flag- day-update EfficientIP: http://www.efficientip.com/dns-flag-day-notes/ F5: https://support.f5.com/csp/article/K07808381?sf206085287=1 and https://worldtechit.com/ dns-flag-day-for-f5-dns/ InfoBlox: https://community.infoblox.com/t5/Community-Blog/DNS-Flag-Day/ba-p/15843? es_p=8449211 Juniper: https://kb.juniper.net/InfoCenter/index?page=content&id=TSB17513 Microsoft Azure: https://azure.microsoft.com/en-us/updates/azure-dns-flag-day/ Microsoft Windows: https://support.microsoft.com/en-sg/help/4489468/windows-server- domain-name-system-dns-flag-day-compliance Palo Alto Networks firewall: https://live.paloaltonetworks.com/t5/Community-Blog/DNS-Flag- Day-Are-You-Ready/ba-p/248284 Pulse: https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB43996 SimpleDNS: https://simpledns.com/news/78/simple-dns-plus-v-8-0-build-108-released-dns- flag-day-update
14.
© 2019 ISC Service
Operators Dyn: https://dyn.com/blog/what-you-need-to-know-about- dns-flag-day/ Exabytes: https://support.exabytes.com/en/support/ discussions/topics/14000013075 Google: https://groups.google.com/forum/#!msg/public-dns- announce/-qaRKDV9InA/CsX-2fJpBAAJ Quad9: https://quad9.net/dns-flag-day-2019/ Valimail: https://www.valimail.com/blog/what-dns-flag-day/
15.
© 2019 ISC https://dnsflagday.net/ Test
your domains
16.
© 2019 ISC https://dnsflagday.net/ Test
your domains (Hosted on non-compliant nameservers at future.net.uk)
17.
© 2019 ISC https://dnsflagday.net/ Test
your domains (Hosted on non-compliant nameservers at wiley.co.uk)
18.
© 2019 ISC https://dnsflagday.net/ Test
your domains
19.
© 2019 ISC ▪
Review https://ednscomp.isc.org/ednscomp/ your-domain-report ▪ If you get an error other than timeout, upgrade your DNS software to the latest your vendor has. ▪ If you are getting timeouts check the firewall settings. Testing Summary
20.
© 2019 ISC Long-term
Benefits ▪ resolvers will stop disabling EDNS unnecessarily ▪ DNS will be more resilient ▪ resolvers will become more efficient, less persistent ▪ newer features like DNSSEC, DNS cookies, EDNS client subnet, etc., will work better
21.
© 2019 ISC 0.00% 0.50% 1.00% 1.50% 2.00% 2.50% 3.00% 3.50% 4.00% 4.50% 1/1/17
7/1/17 1/1/18 7/1/18 1/1/19 Percentage of Alexa 1M domains with EDNS compliance issues EDNS version 0 query EDNS unknown option EDNS unknown flags EDNS(1) Unknown EDNS version and option Flag Day accelerated progress
22.
© 2019 ISC In
conclusion: ▪ Check your own domains today ▪ Fix (or ask your domain hosting company to fix) any issues identified ▪ If you see ‘funny problems’ reaching other services or websites, check their domains for DNS compliance failures ▪ Remember this talk – you might not encounter problems right away
23.
© 2019 ISC Any
Questions?