Internet Domain Holders Need To Test Their Sites for 'DNS Flag Day'

The event for organizations and IT pros known as "Domain Name System Flag Day" will kick off on Friday, Feb. 1, 2019.

On that day, DNS providers will start to release new software updates that will stop supporting the old workarounds that currently exist for the DNS resolution process in some implementations. The old workarounds are typically found in the older DNS software that's out there. A notification on the coming DNS Flag Day was issued this week by US-CERT.

DNS administrators and organizations that have Internet presences (that is, they are the "domain holders" for their Web site names) should test their sites beforehand to ensure they'll be ready for the new DNS provider software updates.

These DNS software updates are expected to smooth out the traffic gymnastics associated with the old workarounds, which can cause delays. They'll also help in the delivery of newer DNS software features. For instance, the updates will bring support for DNS cookies, which can be used to reduce distributed denial-of-service attacks due to "DNS protocol abuse," according to an explanation by the Internet Systems Consortium.

If the older software is used, the DNS resolution process may not happen after this updated "resolver software" is released by the DNS providers. Web sites having "incompatible authoritative servers may become unreachable through updated resolvers" after the Feb. 1 date, according to the DNS Flag Day site.

DNS providers have been rather patient. Some systems have been noncompliant for decades, either with the original DNS standard or the newer Extensions to DNS (EDNS) protocol.

"This change will affect authoritative servers which do not comply either with the original DNS standard from 1987 (RFC1035) or the newer EDNS standards from 1999 (RFC2671 and RFC6891)," the DNS Flag Day site explained. 

The DNS providers listed as participating in DNS Flag Day include Cisco, CleanBrowsing, CloudFlare, CZ.NIC, Facebook, Internet Systems Consortium, NLNetLabs, PowerDNS and Quad9.

Microsoft issued an announcement this week indicating that it is only detecting "minor problems," at worst, on the DNS services that are used with its Azure datacenter traffic. It is rolling out fixes, but they may not all get completed until after DNS Flag Day. However, the delay "is not expected to cause any impact to our customers or services," Microsoft indicated. No actions are required by Azure customers.

Similarly, no actions are needed by ordinary Internet users lacking domain name ownership, according to the DNS Flag Day page.

Windows Server users could get a "Minor problems detected" message after running the tests, but functionality won't be affected, according to a Jan. 31 Microsoft support article. Microsoft plans to deliver fixes for Windows Server via the Windows Update service after DNS Flag Day.

"No action is required for the DNS Server Role on DNS Flag Day," the Windows Server support article indicated. It added that "Administrators will need to install enhancements when they become available on Windows Updates." 

DNS is used to resolve server locations designated by numerical Internet addresses into the more user-friendly Internet site domain names. For instance, "" is one such user friendly domain name for numbers like "" The domain passed the test that's available on the DNS Flag Day's page:

It's also possible to run this test from the Internet Systems Consortium site here. However, watch out for timeouts, firewalls or intrusion protection systems that may affect the tests if doing so, according to a Center for Internet Security post on DNS Flag Day.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


comments powered by Disqus

Subscribe on YouTube