DNS flag day & EDNS compliance

domains

#1

Hi there,

In case you still don’t know, on February 1st, major DNS resolver software vendors and DNS public resolvers will STOP doing workarounds to avoid misconfigurations in authoritative DNS servers and will start FAILING on errors found (especially regarding EDNS configuration and filtering).

This has been announced months ago, you can find all the info in https://dnsflagday.net/

Even when we are less than one month away from the flag day, Dreamhost’s authoritative servers don’t seem to be properly configured for this (even for their own domain dreamhost.com).

The friendly Dreamhost DNS staff could do much worse than check the DNS software, configuration and filters in ns[123].dreamhost.com.

See https://ednscomp.isc.org/ednscomp/c9f055769a for a list of current errors.

You can check any domain name at https://ednscomp.isc.org/ednscomp

Regards.


#2

This is bad. Thanks for the info.


#3

OK, I’ve read up on this and verified that my domains (and dreamhost.com) fail EDNS compliance. Now I’m upset and terrified that all of my services might die on or around February 1st. This includes email which isn’t even hosted here, but since my domain is hosted here and my MX points elsewhere, I believe EDNS queries will fail to resolve ALL DNS records, not just websites.

This issue affects shared hosting, VPS, DreamCompute, and DreamObjects.

This is really bad.

OK DH, what’s going on?


#4

I don’t think the situation is apocalyptic. The DNS flag-day site itself says that Dreamhost’s DNS servers will work after flag day. When I enter a DH DNS-hosted domain on https://dnsflagday.net , it states:

This domain is going to work after the 2019 DNS flag day [ BUT …]

The “BUT” is for “Minor problems” because DH DNS-servers don’t support the latest DNS standard. A lot of sites get this minor warning, for example github.com (where the DNS flag-day source is hosted).

Of course, it would be best if DH got a green “All OK!” report.


#5

GitHub, BitBucket, Slack, Twitter, DreamHost, WordPress.org … a LOT of high-profile sites fail the test.
Looking at Reddit and Ycombinator discussions, this seems to have blindsided a LOT of people. If it weren’t for Google being listed as supporting this I could accept this is largely a crank. The @dnsflagday Twitter account doesn’t have many followers, not a good sign even for an apocalypse.
Still researching…


#6

Support replied to me that they are not planning to make any changes. Their reply sounded cavalier IMO.

To me, this is another indication Dreamhost chooses to ignore the needs of their customers by not keeping up with web standards.

Shared hosting still does not support HTTP/2.


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.