DNS Flag Day And Legacy Nameservers
Customers may be aware that we have been performing upgrades on our Authoritative resolver clusters, as well as our recursor clusters. This is primarily due to DNS Flag Day, which is occurring today, 1st February 2019.
What is DNS Flag Day?
The Software Vendors of the largest DNS platforms – Bind, PowerDNS, Unbound, Google, got together mid last year and decided that they were no longer going to continue implementing workarounds in their software for DNS servers which do not support the ‘EDNS’ extensions to the DNS framework. The date they picked for this is 1st February 2019. Unfortunately, they didn’t put much effort into advertising this date, so a lot of companies around the world have only found out about this in the last couple of weeks.
Why did they decide to do this?
Well, to answer that, we need to understand how a DNS lookup works which we have simplified for you below:
Say your computer is set to use 184.108.40.206 as its DNS resolver and you want to visit www.serversaustralia.com.au. (We’ll pretend for a few minutes that our DNS servers don’t support EDNS. They do, so don’t worry!).
- Your computer queries 220.127.116.11 (google) for a record for www.serversaustralia.com.au.
- Google queries the .au root servers to get the nameservers for
serversaustralia.com.au,and gets back a response saying dns1.servercontrol.com.au.
- Google sends a query packet for www.serversaustralia.com.au to dns1.servercontrol.com.au with the EDNS flag set.
- dns1.servercontrol.com.au, not supporting EDNS, sees it as a malformed query and ignores it.
- Google gets sick of waiting for the response after a few seconds and retries the same query packet without the EDNS flag set.
- dns1.servercontrol.com.au sees this as a fine query, and sends back the response with the IP address for www.serversaustralia.com.au
- google receives this response, decides dns1.servercontrol.com.au doesn’t support EDNS, and adds it to an internal list of servers it should not use EDNS with.
At this point, Google’s DNS server has wasted multiple seconds of CPU time, and probably 1kb of ram to save the entry into its lookup table. Multiply that by millions of queries an hour, and a million DNS servers, and you now understand why the large public resolver companies had enough!
EDNS has been a defined part of DNS since 1999 – but hasn’t been largely supported because DNS ‘seems’ to work without it.
What will happen if my domain is on a server which does not support EDNS after flag day?
Well, that depends on how the DNS server which hosts your domain handles requests with EDNS, and how the specific resolver being used to lookup your domain handles that response. As we understand it, some resolvers are just doing away with that lookup table, so it will mean all requests to an EDNS-incapable server will have that 2-second delay on lookups. Other resolvers are just completely removing the workarounds, so your domain would become unresolvable.
How is this going to affect me, as a Servers Australia customer?
Well, that’s the important question, isn’t it?
There is a simple answer and a complicated answer.
The simple answer is: If all of your services were purchased directly from Servers Australia – i.e. you were not a customer of any of the companies we have acquired over the years (Dedicated Servers, Syncom, Indigo, Woosaw, Axelera, RackCentral, OzServers), then this is not going to affect you. Both of our Authoritative hosting clusters and our resolver cluster are fully up to date.
If you were a customer of one of the Brands we purchased, then you may need to check the resolver IP’s you are using.
Servers Australia’s official resolver IP addresses are as follows:
If you are using legacy brand resolvers, we will be in touch over the coming weeks to ask you to change. However, if you are running a local nameserver of your own (Bind, PowerDNS, etc.), and using one of the legacy resolvers as a forwarder, you will face the same issue as the above, where you will be unable to make queries due to these resolvers not supporting EDNS.
The full list of legacy resolvers are:
Indigo Customers do need to redelegate their domains from the Indigo Cluster (ns1/2/3.indigo.com.au) to our portal DNS cluster (ns1/2.servercontrol.com.au) – the customers affected have been emailed with the list of domains needing redelegation.