What is expected on/after "DNS Flag Day" (Feb 1, 2019)?

Are there any known issues relating to LE cert issuance?
How should we prepare for this?


2 Likes

When the Let’s Encrypt resolvers are upgraded to the next version of Unbound, they will no longer talk to authoritative nameservers that drop EDNS queries.

https://www.isc.org/blogs/dns-flag-day/

A small number of domains will probably be unable to get certificates.

(Some others should become more reliable.)

Since certificates don’t renew very often, some people will probably notice that the quad-n resolvers can’t find their domains before they notice that Let’s Encrypt renewal isn’t working.

2 Likes

What about brand new cert requests?

2 Likes

There can’t be many people securing their websites while using DNS servers that have been broken since 1999, but yeah.

1 Like

So:

[even if only a small number]

Are there tell-tale signs?
What would the "error" message look like?

2 Likes

The error message from Let’s Encrypt? Just a SERVFAIL or DNS timeout error.

To tell it apart from other issues, the zones would have to be scanned with ednscomp or something.

2 Likes

This seems concerning (to me):

https://social.technet.microsoft.com/Forums/en-US/960ff2e3-c72e-47a3-b502-ec07f976c4bb/windows-server-2016-dns-not-fully-edns-rfc-compliant?forum=winserveripamdhcpdns

Some “related” examples:
msft.net = https://ednscomp.isc.org/ednscomp/def06d562d
azure-dns.net = https://ednscomp.isc.org/ednscomp/1495c20c2d

2 Likes

It’s not good, but it’s not dropping queries.

1 Like

EDNS has the version 0. But the EDNS1 tests check the answer of a (not defined) EDNS1 query.

The ednsopt - test checks the answer, if the client sends undefined options.

The edns1opt test combines both checks.

Check

A Common Operational Problem in DNS Servers - Failure To Respond.
draft-ietf-dnsop-no-response-issue-08

https://tools.ietf.org/id/draft-ietf-dnsop-no-response-issue-08.html

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.