CVE 25th Anniversary
On the long-term scale of human history, 25 years is nothing.
Read postDespite this, there continue to be non-compliant implementations. DNS software developers have tried to solve the problems with the interoperability of the DNS protocol and especially its EDNS extension (RFC 6891 standard) by various workarounds for non-standard behaviors. However, temporary workarounds are not a long-term solution. These workarounds excessively complicate DNS software and are now also negatively impacting the DNS as a whole. The most obvious problems caused by these workarounds are slower responses to DNS queries and the difficulty of deploying new DNS protocol features. Some of these new features (e.g. DNS Cookies) would help reduce DDoS attacks based on DNS protocol abuse.
To prevent further deterioration of DNS services, the developers of four major open source DNS software systems have agreed to discontinue support for these non-standard solutions. All new releases of DNS software from CZ.NIC, ISC, NLnetlabs, and PowerDNS after February 1, 2019 will not contain workaround code for non-compliance with EDNS standard RFC 6891.
You can test your domains and authoritative DNS servers using the web application https://ednscomp.isc.org/ednscomp/. A test result with a green message “All Ok” indicates that you are already prepared for the changes and do not need to do anything. If the result of the test is anything else than the green message “All Ok”, please update your DNS software. If you are using the latest version of your server software, please contact its developer and ask for a fix. In this case, we recommend attaching a link to the test result, which contains technical details, to your message.
Please note that full EDNS support (RFC 6891) in DNS software is not mandatory.
In case you decide not to support EDNS it is mandatory to correctly answer queries with EDNS in accordance with RFC 6891 section 7, i.e. namely to answer with a valid DNS message containing RCODE=FORMERR. Please follow the RFC mentioned above while implementing this. Thank you!
Domains served by DNS servers that, according to the above-mentioned tests, are not compliant with the standard, will not function reliably after February 1, 2019, and may become unavailable.
We are aware of the importance of this change and we want to inform as many people as possible. We are going to keep drawing attention to this change, which will begin to apply in less than a year. If you have the ability to spread this information to people who are in charge of networks and DNS servers, we will be glad if you share the link to this blog post. Our goal is a reliable and properly functioning DNS that cannot be easily attacked.
Adapted (with permission) from a blog post at CZNIC by: Petr Špaček
What's New from ISC