You are here :
-
Public Consultations
-
Reference
-
Statistics
-
Publications
-
Blog
- Analysis of the .RE
- Brands answer the call to the 2nd ‘Cercle des .marque’ event
- About the attack on French ISPs’ DNS resolvers
- Using Afnic open data : example with the term COVID
- Hosting a domain name with compound characters
- Eligibility of a holder located in the United Kingdom post Brexit
- Can compound characters be used in a domain name?
- Functioning of Afnic during lockdown
- Which Top Level Domains have an IP address?
- Lala Andriamampianina, may you rest in peace
- Resolutions for 2020: Afnic goes elliptic
- 6 tips to prevent your website from being hacked
- In search of low-cost nTLDs
- Exploring the city through the .paris community
- .org - an alternative perspective
- Looking back on the success of the first meeting of the Cercle des .marque
- Key success factors for Internet extensions: an evaluation grid
- [Video] Conclusions on the Internet Governance Forum (IGF) France 2019
- A brief example of using Afnic Open Data
- Food for thought on the "new TLD" business models
- 30 years of success and danger: the Web, URLs and the future
- [Success stories] Strengthen your infrastructure to suit your ambitions
- February 1, 2019: is the DNS going to shake?
- [Success stories] They chose to have their own TLD
- [Success stories] .museum, how a historic Internet suffix was revived
- The main steps in effectively launching your .brand
- 6 secrets on how to improve the renewal of domain names
- [Video] Back to IGF 2018 in Paris
- A .BRAND to enhance customer experience
- Afnic commits to DNS security at the international level
- Replacement of the KSK of the root zone: Are you ready?
- How the SNCF implemented its new digital strategy with oui.sncf
- Franco-Dutch research project on automatic classification of domain name abuse
- The auditive memorization of domain names
- What are the possible actions against domain name abuses?
- Identity theft by domain name: what Afnic does
- Cybersquatting, Spam, Phishing… the different types of domain name abuses
- [Video] Review of the French Internet Governance Forum 2018
- Custom Internet extensions: the opportunities for brands
- How to avoid inadmissibility in the SYRELI procedure
- Which English terms are most used in .FR domain names?
- Domain name security, the example of cryptocurrencies
- What are the terms most used in .fr domain names?
- Personality test: Are you ready for GDPR?
- Do GeoTLDs like .alsace have an effect on local SEO?
- The 11 vital locations to display your domain name!
- What means of action for a Right-holder ineligible under the Naming Policy?
- Domain name litigation: the recognition of an AOC rights in the SYRELI procedure
- Why choose a domain name under a geoTLD?
- Afnic, a community first and foremost!
- The defense of personality rights in the SYRELI procedure
- When will the next round of the new gTLDs take place?
- A million good reasons for coming to the Afnic Forum...
- Yeti DNS-over-TLS public resolver
- 2016, the beginning of a new cycle for Afnic
- .fr has just passed the 3 million domain names milestone
- My experience inside the Afnic Legal Department
- Future of ICANN Privatization? Internationalization? Supervision?
- Excellence at Afnic - Our coming-out
- Speech at the transmittal of the IANA Stewardship Transition Plan
- Exclusive offer: 100% money back on your domain name*!
- 8 tips for choosing the right domain name
- IPv6 and DNSSEC are respectively 20 and 19 years old. Same fight and challenges?
- L.45-2 paragraph 1 of the CPCE: When a domain name disrupts the French law
- How to avoid getting your domain name stolen by email?
- Accountability and IANA transition: behind the scenes
- Stop selling domain names!
- abc.xyz : erratum.xyz
- A comprehensive approach to French regional branding
- abc.xyz : Meanwhile, back in France…
- abc.xyz: Why not alphabet.com? (The conspiracy theory version)
- abc.xyz : The controversial success of .xyz
- Corporate Communications, Constant Crisis
- abc.xyz : Why not alphabet.com ?
- alphabet.xyz : How Alphabet got its domain name
- abc.xyz : Don't worry, we're still getting used to the name too!
- IANA transition crosses a major milestone in Buenos Aires
- A day in the life of the Icann empowered community
- IANA transition : the machine is moving, but the deadline is approaching
- Corporate Social Responsibility and the DNA of ccTLDs
- China Changing in Leaps and Bounds
- Towards a less intrusive DNS
- ICANN: what does accountability stand for?
- ICANN Singapore. A debate at the other end of the world
- ICANN Reform, or opening Pandora's box
- Internet Governance Forum: What is to be done?
- Slam spam!
- Icann : freeze !
- Scams and identity theft, the experience of a SYRELI reporter
- French Regional Reform Does Not Mean the End of GeoTLDs
- Lessons Learnt from NETmundial
- Suggestions for a successful IANA transition
- Wind of change at Afnic!
- Back to the future of the Afnic Legal Service
- The US Backs ICANN for Internet Governance
- Should the registrars streamline their gTLD strategy?
- The IANA elephant in the room
- 2014 : change of course for the naming system
- Why do regions want a place online?
- What can Afnic do?
- Internet governance: let’s get to work!
- Brexit and .fr
-
FAQ
-
Glossary
-
Certificates
February 1, 2019: is the DNS going to shake?
25 January 2019 - By Vincent Levigneron
A new deadline is about to shake the internet ... After the Year 2000 bug, the drying-up of IPv4 addresses, and the first root key rollover, get ready for the "DNS Flag Day" ... In 1 week...
Explanation
The Domain Name System (DNS), as we know it, was standardized 30 years ago by IETF (RFC1034 and RFC1035). In internet terms, thirty years is an eternity. The context has changed since then and so have the issues and expectations, but despite its design dating from another age, the DNS continues to be an essential infrastructure for internet communications.
Rapidly limited in its structure and to meet new needs, an additional standard, EDNS (RFC2671 - published in 1999 and updated in 2013 RFC6891), brought complementary features to support new protocols/extensions, such as DNSSEC, that were not envisioned at the design time of the initial DNS standard. The EDNS standard came to remove limitations that did not make much sense anymore, such as the (too low) DNS maximum packet size (512 bytes).
Being not in limelight as a necessity for a long time, EDNS, gained importance with the wide deployment of DNSSEC, among others, which has become an essential part of the DNS protocol. However, there are implementations of the protocol that still do not meet this standard, not to mention poorly configured firewalls that block packets using this option. This leads to responses (or even no responses at all) that are difficult to interpret when processing DNS queries, which leads to a significant increase in processing time, thus detracting from the user experience.
The nonconformity of certain hardware has required setting numerous workarounds in the code (provided by major DNS software vendors) of the recursive resolvers, in order to distinguish the cases of servers that are genuinely unreachable from the cases of servers not correctly supporting EDNS. This makes the code more complex to maintain, less efficient, more fragile, and longer to modify when it comes to new technology handling EDNS.
As of February 1, 2019, these workarounds will be removed from the new versions of the tools of major DNS software vendors (the ISC for Bind as of version 9.14, CZ.NIC for Knot-Resolver as of version 3.3.0, NLnet Labs for Unbound as of version 1.9.0, PowerDNS for PowerDNS Recursor as of version 4.2.0). Any server not responding to queries using EDNS will consequently be considered unreachable. They will be accompanied by some of the major DNS service providers.
In practical terms, what is going to happen? Probably nothing on D-Day, since the change will only start to be noticeable when the latest versions of the tools (some of which are not yet released in their stable versions) are deployed. But, little by little, malfunctions could appear for DNS zones hosted on servers too lax with respect to the standard or for users behind a poorly configured firewall.
This is why you should check as soon as possible, if the servers that host your DNS zone(s) will be affected by the change and apply the necessary measures in a timely manner.
How to check?
It couldn't be simpler! Just go to the link https://dnsflagday.net/ (which provides a detailed technical explanation of this "DNS Flag Day") and use the interface provided for this purpose. Here is the type of result expected for a complying domain name (ie, not affected):
For a more complete test, it is also possible to use the Zonemaster tool which is about to be updated for the occasion (stay tuned) and which in addition to hundreds of tests done on DNS servers serving your domain names, performs new tests specific to EDNS.
Official communication from DNS software providers:
Level of compliance of the Top-Level Domains (TLDs) managed by Afnic
To determine the impact of this change, we can count on the results of the excellent tool developed by CZ.NIC, namely the "EDNS Compliance scanner for DNS zones" which allows us to scan the entirety of a TLD and carry out the conformance test on the whole TLD zone.
As we will see, the vast majority of delegated zones will not be impacted.
.Fr TLD (on a version of the base dating from January 2019)
Mode |
Permissive (<= 2018) |
Strict (2019+) |
Ok |
2919801 89.89 % |
2919785 89.89 % |
Compatible |
184898 5.69 % |
184893 5.69 % |
High latency |
40316 1.24 % |
30068 0.93 % |
Dead |
103047 3.17 % |
113316 3.49 % |
A few keys to decipher the table:
- The Permissive (<= 2018) column corresponds to the current behavior of DNS resolution software, the Strict (2019+) column corresponds to tool versions without the workarounds;
- The Ok line corresponds to the domains that are compliant, i.e. the vast majority;
- The Compatible and High latency lines indicate non-compliant domains but for which resolution is nevertheless possible;
- The last line, Dead is the most critical because the difference between the 2 values indicates the number of domain names that will probably fail to resolve.
For the .fr TLD, we can see that to date, more than 100,000 delegated zones are not correctly resolved and that 10,000 new ones could join them from February 1. These are the 10,000 zones that may not be resolved any time after the “DNS Flag Day".
Impact on the other TLDs operated by Afnic
In the twenty or so TLDs we operate, we can see exactly the same distribution in terms of EDNS compliance levels. Of course, because of its size, it is under the .fr TLD that the largest contingent of problematic zones will be found.
All TLDs combined, nearly 11,000 zones will be impacted by the change from February 1.
The recommendation is to carry out the EDNS compliance tests and make the necessary modifications, either yourself or by asking your DNS hosting provider.
Is this domain
available ?
News
- January 27, 2021 The online presence of French VSEs/SMEs: 2019/2020 results of the Afnic “Réus...
- December 10, 2020 Three major projects on the roadmap of the Afnic International College
- November 23, 2020 Lucien Castex has been reappointed as a member of the Multistakeholder Advisory ...
- November 17, 2020 Marianne Georgelin joins Afnic's Executive Committee as Legal Director
- November 16, 2020 ‘Je passe au numérique’: the Afnic initiative for VSEs/SMEs