DNS flag day 2020

DNS Software Vendors

It is important for DNS software vendors to comply with DNS standards, and to use a default EDNS buffer size (1232 bytes) that will not cause fragmentation on typical network links.

Relevant standards include RFC 7766, RFC 6891 section 6.2.3. and RFC 6891 section 6.2.4..

The motivation for this effort is described in IETF draft intarea-frag-fragile section 6.1 and IETF draft iab-protocol-maintenance.

How to test?

If you’re the owner of a domain or the operator of an authoritative DNS server, you can use our web-based testing tool to check your domains; you can find it above under Action: Authoritative DNS Operators.

Our web-based testing tool for clients and DNS resolver operators can be found above under Action: DNS Resolver Operators.

You can also test by using the following CLI commands:

$ dig +tcp @auth_IP yourdomain.example.

$ dig +tcp @resolver_IP yourdomain.example.

$ dig @resolver_IP test.knot-resolver.cz. TXT

All DNS queries must be successful, and commands should return the same results both with and without the +tcp option.

If you are a service provider, you can test your authoritative and recursive DNS services by configuring the default EDNS buffer size:

BIND

options {

  edns-udp-size 1232;

  max-udp-size 1232;

};

Knot DNS

server:

  max-udp-payload: 1232

Knot Resolver

net.bufsize(1232)

PowerDNS Authoritative

udp-truncation-threshold=1232

PowerDNS Recursor

edns-outgoing-bufsize=1232

udp-truncation-threshold=1232

Unbound

server:

  edns-buffer-size: 1232

NSD

server:

  ipv4-edns-size: 1232

  ipv6-edns-size: 1232

The configuration above will have no visible effect if everything works correctly. Some queries will fail to resolve if the TCP transport is not available.