One of the interesting/horrifying things I see as part of my work in Domain Generation Algorithms is the horrifying things people do to their zone files and bizarre DNS server implementations out there. DNS as a protocol has been around a long time and its core to how the Internet works. As such, every update to DNS servers have included backwards compatibility that have left some inefficiencies and gaps that the community is seeking to close. Accordingly, on 1 February 2019, they announced DNS Flag Day. That will be the day for a coordinated release of DNS software to remove support for incompatible implentations of DNS server software that are still operating out there (and often causing problems).

This means for every organizations, the need to verify if their domain and authoritative DNS resolver are prepared for the change. The website linked above has a rudimentary testing script where you enter your domain and it tells you if your domain is supported and good to go.

If not, you'll need to update your auth DNS server to a modern version to accomodate these changes. If you operate your own recursive resolver, you don't need to do anything, but if you do use the following modern versions of DNS resolvers, you will no longer support those incompatible name servers:

• BIND 9.13.3 (development) and 9.14.0 (production)
• Knot Resolver has already implemented stricter EDNS handling in all current versions
• PowerDNS Recursor 4.2.0
• Unbound 1.9.0

TL;DR check out https://dnsflagday.net to ensure your domain is ready and if not, update your nameservers or you will see your infrastructure start to go dark.

--
John Bambenek
bambenek \at\ gmail /dot/ com
ThreatSTOP