What is expected on/after "DNS Flag Day" (Feb 1, 2019)?


#1

Are there any known issues relating to LE cert issuance?
How should we prepare for this?



#2

When the Let’s Encrypt resolvers are upgraded to the next version of Unbound, they will no longer talk to authoritative nameservers that drop EDNS queries.

https://www.isc.org/blogs/dns-flag-day/

A small number of domains will probably be unable to get certificates.

(Some others should become more reliable.)

Since certificates don’t renew very often, some people will probably notice that the quad-n resolvers can’t find their domains before they notice that Let’s Encrypt renewal isn’t working.


#3

What about brand new cert requests?


#4

There can’t be many people securing their websites while using DNS servers that have been broken since 1999, but yeah.


#5

So:

[even if only a small number]

Are there tell-tale signs?
What would the “error” message look like?


#6

The error message from Let’s Encrypt? Just a SERVFAIL or DNS timeout error.

To tell it apart from other issues, the zones would have to be scanned with ednscomp or something.


#7

This seems concerning (to me):

https://social.technet.microsoft.com/Forums/en-US/960ff2e3-c72e-47a3-b502-ec07f976c4bb/windows-server-2016-dns-not-fully-edns-rfc-compliant?forum=winserveripamdhcpdns

Some “related” examples:
msft.net = https://ednscomp.isc.org/ednscomp/def06d562d
azure-dns.net = https://ednscomp.isc.org/ednscomp/1495c20c2d


#8

It’s not good, but it’s not dropping queries.


#9

EDNS has the version 0. But the EDNS1 tests check the answer of a (not defined) EDNS1 query.

The ednsopt - test checks the answer, if the client sends undefined options.

The edns1opt test combines both checks.

Check

A Common Operational Problem in DNS Servers - Failure To Respond.
draft-ietf-dnsop-no-response-issue-08

https://tools.ietf.org/id/draft-ietf-dnsop-no-response-issue-08.html


closed #10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.