DNS Flag day, the aftermath
Sebastian Castro •
Back in October 2018 we blogged about the upcoming DNS Flag Day, and how it could potentially affect .nz domains.
As InternetNZ regularly tested .nz domains for potential failure after 1 February 2019, together with a communication campaign involving DNCL to reach those affected to implement a fix, we accumulated data that helps us to tell a story how our community reacted to this event.
As the DNS Flag Day initiative also gathered support from public DNS resolvers such as Cloudflare, Google DNS and Quad9, breakage expectations completely changed. Originally there was an expectation of a slow roll out, then turned into a faster rollout and more bite.
To provide a mental refresher, the DNS Flag Day test applies 9 different EDNS tests to a nameserver, expecting a valid DNS response. If the query leads to a timeout, it's considered a failure. Any other DNS response is considered acceptable but not perfect.
The number of nameservers hosting .nz domains was quite stable during the collection period. Back in July 2018 25,816 nameservers addresses were tested, compared to 26,650 unique addressess at the end of January 2019.
The figure below shows how the compliance by nameserver changed in 6 months, by showing the fraction of nameservers fully passing each test.
In general there are improvements in all tests, mainly around the EDNS1 tests. A keen observer noticed actually a drop in the OPTLIST test.
CZ.NIC and domain status
Our colleagues from CZ.NIC wrote a tool to analyze a minimal set of nameservers and produce a state for a given domain. Their tool assigns a domain one state before and after the EDNS workarounds have been removed.
- OK: All addresses for all nameservers of a domain pass the EDNS tests.
- Compatible: None of the EDNS tests produce a timeout. There might be some non-critical errors.
- High Latency: Some of the nameserver addresses generate timeouts.
- Dead: All nameserver addresses generate timeouts.
The plot shows how the classification of the .nz register changed across time during the communication campaign.
The evidence of the success of our efforts is shown here. We moved from 35% of domains passing with flying colors to over 70%, and we dropped the number of Dead domains from 14% to 7% percent.
Because there are many reasons why a nameserver does not answer our queries, we focused specifically on the domains that will break due to DNS Flag Day effects, those we have been actively chasing.
This is a totally different picture! We started with over 8000 domains affected (1.2% of the registry) down to 508 domains (0.07% of the registry). That's a great improvement, considering we also focused on popular domains names that were in the list such as a few banks, Government agencies and media outlets.
How DNS Flag Day was lived by other members of the community
During Saturday 2 February NZDT there was continous activity on Twitter about the day. Below a few selected links and tweets about it.
- ISC, one of the DNS Flag Day organizers and authors of the DNS Compliance test, wrote a blog post wrapping up the day.
- PowerDNS announcement of a new version of PowerDNS Recursor without the workarounds.
- Quad9 announcement
- Google DNS announcement and update
- Domain Pulse picking up our media release
- Thousand Eyes and their guide to surviving DNS Flag Day
- And some of our colleagues in other ccTLDs produced some updates on Twitter