Dynadot

alert Major DNS changes on Feb 1

Spaceship Spaceship
Watch
Impact
5,250
DNS Flag Day is February 1, 2019--that's just two weeks one week from today. If your domain names use DNS servers that aren't ready, they'll be slow or entirely unavailable to a large percentage of the internet.

If you have multiple domain names with the same nameservers, you only need to test one in the group. For example, if half of your domains use GoDaddy's nameservers and another half use Dynadot's, you only need to test two domains, one for each provider.

Test your DNS provider's configuration here (simple) or here (technical).

Edit: Note that if these tests report "minor problems," there's no need for concern unless you operate the nameservers in question. Problems categorized as minor shouldn't cause immediate problems on Feb 1, but aren't ideal long-term. For example, in some cases, they might make it easier for attackers to abuse the affected nameservers.
 
Last edited:
33
•••
The views expressed on this page by users and staff are their own, not those of NamePros.
These email mechanisms were designed for Name/Brand protection.
If you don't need them - this is another story and your own choice.
 
Last edited:
0
•••
Was this something that was known for a while that would change? Or is it something that was thrown upon the DNS world without much notice?

It's been planned for a while but unfortunately hasn't received much attention. I only just recently found out myself. The underlying improvements have been around since 1999; what's being dropped (finally) are workarounds that permit backwards compatibility with the pre-1999 protocol. The workarounds cause a number of issues, and permitting pre-1999 DNS at all can be dangerous, so this is long overdue. The deadline itself, though, is relatively new (~1 year, I believe, but don't quote me on that).

Dont worry about the "slow", thats usually resolving multiple dns servers. Just check the outputs as each dns server is interrogated during the test.

In my tests, when the site indicates slow, post-Flag Day-style lookups increased by upwards of 3 seconds. If it says "slow", you should be concerned.

I think if this DNS change was going to be so destructive it would be front page news and even your grandmother would have heard about it.

Based on my testing and understanding of the intended changes, it seems as though it will be destructive if people aren't prepared. I wouldn't expect the internet to collapse, but there are probably going to be sporadic outages of various services on Feb 1. Because word hasn't really spread, it's going to take big companies time to figure out what's wrong and why it's not affecting some customers.

This reminds me of when SPF/DKIM was going to break the internet email system if you didnt upgrade. Its been in use for years now and most servers still do not use either.

Anyone who's tried to automatically forward emails from NamePros without a proper DKIM and/or ARC implementation can attest that lack of DKIM-compatibility does, in fact, break stuff. We don't see it too often, but it does happen from time to time.

Absolutely all major email providers are using SPF/DKIM/DMARC.

Correct--at least, all the reputable ones. Who knows what Yahoo does. They're still using spam filtering tech from the 90's.

Which means it does NOT break anything if you do not have them. That was the point.
I'm not going to get into semantics. Lacking SPF/DKIM on your end does not break anything talking to a SPF/DKIM enabled server.

Well... in theory, yes, but in practice, deliverability rates drop significantly. This may not be relevant for an individual, but for an organization like NamePros that sends hundreds of thousands of emails per month, one additional percentage point of bounces means thousands of dropped emails. Basically, by implementing DKIM + SPF + DMARC on our end, we're providing the recipients with additional assurance that the emails came from us, which can cut down on certain kinds of rejections. Many forms of unwanted email either aren't able or don't bother to make these assurances. We've seen near-100% deliverability since implementing DMARC. If we were to exclude Yahoo, it'd probably be just a handful of emails shy of 100%.

These email mechanisms were designed for Name/Brand protection.
If you don't need them - this is another story and your own choice.

They can be used for that, but they're actually primarily to prevent phishing. For NamePros, it's not about our brand; it's about protecting our users from fraud and related issues. Many other organizations are in a similar boat, and some industries mandate the usage of DMARC. Spear phishing is a big issue. I always use DKIM + SPF + DMARC, even for my personal domains. It's quick, easy, and effective.
 
Last edited:
7
•••
0
•••
VodaHost, Uniregistry, GD - OK
Dynadot - not so good
 
0
•••
@Dynadot

Fatal error detected!

This domain is going to STOP WORKING after the 2019 DNS flag day!
 
2
•••
Thanks Paul, so I checked a domain that's using BrandBucket nameservers and got: Serious problem detected! SLOW

This domain will face issues after the 2019 DNS flag day. It will work in practice, BUT clients will experience delays when accessing this domain. We recommend you request a fix from your domain administrator! You can refer them to https://dnsflagday.net/ and
technical report https://ednscomp.isc.org/ednscomp/038f49194a

So this means BrandBucket needs to get to work?

@Andreia Soares - Hi Andreia, As the only person I know on NamePros that is a BrandBucket employee I thought I'd tag you so you can make BrandBucket aware of this DNS Flag issue. Many of us on NamePros (me included) have names published on BB so would be good to see this resolved :)
 
0
•••
Thank you to everyone who has tagged us in the thread, we don't have an update at this time unfortunately but our team are working on this and we will post an update as soon as we have some more information.
 
5
•••
Another reason to use your own DNS servers. I've been using PowerDNS for ages and am glad they addressed this isue in the past. Keeping the software updated does the trick. I'm glad they will be enforcing edns as it should provide an extra layer of protection. Think of it in the way that Google gradually starts to enforce websites using an encrypted connection (SSL). Maybe we dont realise it (yet) but we all benefit from this. Unless your're in the certificate business ofcourse as since they started pushing SSL it has basically become available for free:)

Back on topic, if you're using your shared hosting provider's DNS I'd check for sure. You'd be amazed how many hosting companies think lightly of a good configured DNS setup. If you want some insight on your domains give intodns.com a try. They do a great generic check on your domain DNS health although a custom setup may raise some flags that aren't necessarily a bad thing.
 
2
•••
Im summoning @namesilo

Im using your dns for one site(very important site)

Should i be worried?

Thanks
 
0
•••
Thanks for tagging us in this thread. We are already compliant with the required updates so there shouldn't be any issues on Feb 1st.

The beauty of our DNS is that it is very simple - 99.9999% of replies fit in 512bytes, a single legacy DNS UDP packet. They note that "failure to address issues identified here may make future DNS extensions that you want to use ineffective". EDNS is largely about squeezing more than 512 bytes in a reply without replying with a truncated response over UDP to initiate a retry over TCP.

Basically, this all means that you don't need to worry about this on our end.
 
Last edited:
4
•••
Anyone using cloudflare's DNS should be OK.
 
1
•••
Most of my domains on Go Daddy are all good. However the ones using https (SSL) are coming back with 'Minor problems detected!'

What would cause this? One in particular uses what is called an EV SSL - entire global organisation covered under one SSL.
 
0
•••
SSL has no any relations to nameservers (DNS).
 
1
•••
0
•••
Open WHOIS...
And check nameservers...
The same NS as for other your domains?
 
1
•••
@Paul Buonopane is this related to the same thing.

Screenshot_2019-01-24-17-39-33-361_com.android.chrome.png
Screenshot_2019-01-24-17-40-02-329_com.android.chrome.png
 
0
•••
...Uniregistry... - OK

However:
https://dnsflagday.net/ said:
Minor problems detected!

This domain is going to work after the 2019 DNS flag day BUT it does not support the latest DNS standards. As a consequence this domain cannot support the latest security features and might be an easier target for network attackers than necessary, and might face other issues later on. We recommend your domain administrator to fix issues listed in the following
technical report https://ednscomp.isc.org/ednscomp/d8c39c8227
 
0
•••
Thank you to everyone who has tagged us in the thread, we don't have an update at this time unfortunately but our team are working on this and we will post an update as soon as we have some more information.

@Dynadot Will this be ready until Feb 1st? Or our websites will become not accessible for a while ?!

Thank you
 
0
•••
Folks,

Epik has no critical issues and will have zero issues before February 1. However, before February 1, we are also adding a few additional features for DNS resiliency as follows:

1. Resilient / Distributed DNS with full support for IPv6, DNSSEC, etc. This will go to all customers -- essentially adding Cloudflare/Anycast resiliency to any domain for free to customers who use Epik DNS.

2. A free VPN service and DNS resolver that is part of the framework for so-called "Unstoppable Domains" that resolve even when DNS fails. It is based on the industry best practice OpenDNS but uses a proprietary distributed Content Delivery Network. You can already retrieve the free VPN here:

https://anonymize.com/

Side note - Anonymize.com will become a full privacy suite, not just free WHOIS protection but also VPN, web proxy, and proxy search.

3. A no-track, resilient free DNS resolver which you can start using today instead of 8.8.8.8. Here it is:

DNS Server 1: 51.38.71.20
DNS Server 2: 192.99.212.40

Incidentally, if you use these DNS, even if the public DNS breaks, any domains using Epik DNS will continue to resolve normally.

Finally, I want to acknowledge the community and the registrars for getting the word out. I would like to know from Godaddy how they knew about this change well before most other registrars. Weird times.
 
2
•••
0
•••
Might be minor issues at some of these landing pages places like UnDeveloped etc. or at parking cos. but I doubt any major hosting company hostgator hostinger etc. is going to have any issues whatsoever.
 
Last edited:
2
•••
Might be minor issues at some of these landing pages places like UnDeveloped etc. or at parking cos. but I doubt any major hosting company hostgator hostinger etc. is going to have any issues whatsoever.

You'd be surprised. The team behind DNS Flag Day did a very poor job of spreading the word. It was publicly announced almost a year ago, but little effort was made to ensure it received adequate attention. I only just found out about it recently.

@Paul Buonopane is this related to the same thing.

No, that's unrelated. If you see that again, please DM me with details or use the support widget in the bottom-right corner of the page. 502 doesn't always indicate this, but when it's a white page with "cloudflare" on it, it's a problem on Cloudflare's end.
 
0
•••
Well I and clients of mine just tested websites hosted at hostgator and hostinger all came back A-Okay.

I tested the parking co. I use, and minor issues were there.

So, I really do think that the major hosting cos. are on top of this, but parking and the landing page only outfits might not yet be.
 
0
•••
So, I really do think that the major hosting cos. are on top of this, but parking and the landing page only outfits might not yet be.

There are definitely a large number of major companies that are still noncompliant. I'm waiting on a report from a friend in the security industry to give exact numbers, but the spot testing I've done doesn't look promising.
 
0
•••
Tomorrow DNS changes Day on Feb 1
 
1
•••
Back