DNS Flag Day & Akamai
Written by Jon Reed & Barry Greene
DNS Flag Day is an industry event that promotes the adoption of the most up-to-date DNS features and ensures that non-standards-compliant servers don’t negatively impact the global performance of the Internet. The 2019 DNS Flag Day will remove a number of workarounds regarding servers that do not fully support the EDNS0 (RFC 6891) extensions.
Akamai has been a supporter and promoter of the DNS Flag Day efforts ensuring that all our DNS Authoritative and Resolver products and services are compliant. Akamai’s Fast DNS, Global Traffic Management, DNSi AuthX, DNSi AuthServe (previously known as Nominum ANS), DNSi AnswerX Cloud, Security and Personalization Services (SPS), and Enterprise Threat Protection (ETP) services are all compliant with EDNS0 (RFC 6891).
The 2019 DNS Flag Day is scheduled for February 1, 2019. On this date, major public DNS providers (including Google Public DNS and OpenDNS) will disable workarounds previously put in place for authoritative servers which did not correctly implement EDNS0 (RFC 6891) extensions.
Akamai’s authoritative DNS products will not be impacted by this change. Akamai’s authoritative DNS products include Fast DNS and Global Traffic Management. Akamai has been fully compliant with all requirements in RFC 6891 for many years.
Akamai resolver DNS products will not change for DNS Flag Day. Workarounds for EDNS0 non-compliance will remain in Akamai’s DNS resolver products and will accommodate EDNS non-compliant responses. Akamai’s DNS resolver product include DNSi (formerly known as Nominum Cacheserve and AnswerX), DNSi AnswerX Cloud, and Enterprise Threat Protection (ETP). All are RFC 6891 compliant.
What specifically is changing?
Extension mechanisms for DNS, Version 0 (EDNS0), when first introduced nearly 20 years ago, represented a major change to the DNS protocol. Initially, many DNS server products were incapable of handling EDNS0 queries, and would simply not respond at all, or respond incorrectly. In order to drive adoption of EDNS0, many recursive resolver implementations were forced to implement various workarounds to try and determine whether or not an authoritative DNS server supported EDNS0, and to adjust the queries accordingly. These workarounds will be disabled for many public DNS providers on February 1. Additionally, the servers of most popular recursive DNS server products released on or after February 1 will no longer support these workarounds. As a result, domains hosted on servers which do not fully support EDNS0 may be unreachable or suffer from degraded performance.
In what ways can a domain be non-compliant?
Some of the most well-known features of EDNS0 are End-User Client Subnet (ECS) and UDP Message Size. But EDNS0 is more than that; it provides a mechanism by which new extension to DNS can be introduced in the future. This means that EDNS0-compliant authoritative servers must also ignore unknown EDNS0 option codes. This is where problems usually occur, and these are the kind of problems that will be detected by the EDNS0 compliance tester mentioned below.
How can domains be tested for EDNS0 Compliance?
The DNS Flag Day site has a simple form where you can test your domain (https://dnsflagday.net/), as well as links to more comprehensive tests for use by DNS administrators.
If you are looking for more details, check out the compliance tool Internet Systems Consortium (ISC) has provided: https://ednscomp.isc.org/ednscomp To use, just enter your domain in the “Zone Name” to get a quick check on the EDNS0 compliance.
Where can Akamai customers get up-to-date information during DNS Flag Day?
Specific customer questions about Akamai’s participation in DNS Flag Day can be posted to the Akamai Community – DNS Flag Day and Akamai post. If needed, Akamai will provide updates via this article.
What if there is a problem on DNS Flag Day?
DNS Flag Day is designed to highlight non-compliant authoritative servers, and if your server is still not compliant by flag day, you might encounter cases where names in your zone cannot be resolved using popular public DNS resolvers.
If you encounter a problem with your DNS resolution on or shortly after DNS Flag Day (February 1, 2019), the first step is to check which DNS resolver is being used to resolve the name. Organizations using Akamai’s DNS resolvers will accommodate EDNS non-compliant responses. Compare the results of your DNS query using Akamai’s DNS resolvers with those from Google Public DNS or other public resolvers: If they are the same, that likely indicates a problem unrelated to Flag Day. If they differ, the owner or operator of the domain in question will need to bring their authoritative DNS servers into full compliance with EDNS0.
DNS Flag Day References
Akamai’s DNS Products and DNS Flag Day Specifics
All the Akamai products support EDNS0 (RFC 6891) functionality. It is required for DNSSEC, EDNS0 Client-Subnet (ECS), and many other DNS extensions. Here is a list of Akamai’s DNS Product Family.
Fast DNS. Akamai’s Fast DNS provides an authoritative DNS service that offloads DNS resolution from your infrastructure to the cloud. Built on the Akamai Intelligent Platform™, Fast DNS is architected for both performance and availability and can maintain a fast DNS experience even with the largest DDoS attacks. Fast DNS can be deployed as a primary or secondary solution with optional DNSSEC support to protect against DNS forgery and manipulation. FastDNS is already fully compliant with EDNS0. When Fast DNS is used in Secondary Mode (where Akamai transfers zone contents from a hidden master), zone transfers will still be performed even if a customer’s master servers are not EDNS0 compliant. This ensures no service interruptions while customers work to ensure their master servers are fully compliant with EDNS0.
Global Traffic Management (GTM). Akamai’s GTM is a cloud-based load-balancing, resiliency, and traffic management tool build for data centers, multi-cloud, and multi-CDNS. GTM ensures fast and reliable user experiences by balancing traffic across all your data sources – both cloud and on premises. Geographically dispersed data centers and cloud deployments can slow down user requests and traffic needs to be managed instantly during downtime. Global Traffic Management, built on Akamai’s Cloud Delivery Platform, is a DNS-based load balancing solution that balances traffic across all data sources – both cloud-based and on-premise infrastructures. It provides you a highly scalable, fault-tolerant load balancing solution that ensures high performance and availability under any peak demands. Global Traffic Management is already fully compliant with EDNS0.
DNSi AuthServe. Akamai’s DNSi AuthServe is an authoritative DNS server that enables highly resilient, secure, always-on name services. Authoritative DNS services are critical to configuring, publishing, and distributing access to IP services (websites, video downloads, email, VOIP, etc.), and they are visible and available to everyone on the Internet. The initial user experience with an IP service starts with authoritative name servers, which provide addressing or other information needed to reach the service. Availability, performance, and security of authoritative DNS infrastructure are thus essential to ensuring a positive user experience. DNSi AuthServe is fully compliant with EDNS0.
CacheServe and AnswerX Resolvers. Akamai has DNS Resolver Solutions which reside inside of a large operator, deployed globally in Akamai’s Cloud, and managed inside an operator’s network. Akamai DNSi resolvers are a foundational part of some of the largest networks in the world and help providers improve the subscriber experience, deliver value-added services, and gather DNS data that are useful for operations and security. CacheServe and AnswerX are compliant with EDNS0. Workarounds for EDNS0 non-compliance will remain in CacheServe and AnswerX and will accommodate EDNS non-compliant responses.
Enterprise Threat Protection (ETP). Akamai’s Enterprise Threat Protector proactively identifies, blocks, and mitigates targeted threats such as malware, ransomware, phishing, DNS data exfiltration, and advanced zero-day attacks. Enterprise Threat Protector is a Secure Internet Gateway (SIG) that enables security teams to ensure that users and devices can safely connect to the Internet, regardless of where they are connecting from, without the complexity associated with legacy approaches. ETP is fully compliant with EDNS0. Workarounds for EDNS0 non-compliance will remain in ETP and will accommodate EDNS non-compliant responses.
Security and Personalization Services (SPS). SPS is a Cloud-based, carrier-grade cybersecurity solution protects subscribers and IoT devices from phishing, viruses, ransomware, and malware. The SPS solutions work with Akamai’s DNS resolver (DNSi) to provide customers with a security solution that works for business, consumers, WIFI, and other large organizations. SPS is fully compliant with EDNS0. Workarounds for EDNS0 non-compliance will remain in SPS and will accommodate EDNS non-compliant responses.
*** This is a Security Bloggers Network syndicated blog from The Akamai Blog authored by Barry Greene. Read the original post at: http://feedproxy.google.com/~r/TheAkamaiBlog/~3/SzqV4asqJkA/dns-flag-day-akamai.html
