On Thu, Jan 31, 2019 at 6:01 AM Matthew Petach <mpetach@netflight.com> wrote:
Google, Cloudflare, Quad9 all changing their codebase/response behaviour on a Friday before a major sporting and advertising event? Not sounding like a really great idea from this side of the table.
If your DNS zone is hosted on Google or Cloudflare's servers, then you should have nothing to worry about, other than your end users having a broken firewall in between their DNS resolver and the internet, and then updating their resolver software.... Actually, none of those providers announced detailed plans, at least yet; and maybe they won't even bother announcing. they could update their software yesterday if they wanted, or they could wait until next week, and it would still be "On or Around Feb 1, 2019." The 'Flag Day' is not a specific moment at which all providers necessarily push a big red button at the same instant to remove their workaround for broken DNS servers discarding queries.
Are we certain that the changes on the part of the big four recursive DNS operators won't cause downstream issues?
Not downstream issues. They will break resolution of the domains which have authoritative DNS servers that discard or ignore DNS queries which comply with all the original DNS standards but contain EDNS attributes. The common cause for this was Authoritative DNS servers placed behind 3rd party Firewalls that tried to "inspect" DNS traffic and discard queries and responses with "unknown" properties or sizes larger than 512 --- there may also be an esoteric DNS proxy/ balancer implementation with bugs, or some broken authoritative server implementations running software that was more than 10 years past End of Support at this point. If your authoritative DNS service sits behind such a broken device or on such broken DNS server, then clients already have troubles resolving your domains, and some time after the DNS Flag day, it will likely stop working altogether.
As someone noted earlier, this mainly affects products from a specific company, Microsoft, and L7 load balancers like A10s. I'm going to hope legal teams from each of the major recursive providers were consulted ahead of time to vet the effort, and ensure there were no concerns about collusion or anticompetitive practices, right?
I wouldn't be too concerned. The operators of a recursive DNS service very likely won't have an agreement giving them a duty to Microsoft, A10, etc; If you have a software or service that you expect to interoperate with DNS resolvers, then its on you to make sure your implementation of the software or service complies with the agreed standards regarding its processing of compliant messages. -- -JH