cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Who Me Too'd this solution

In short, DNS flag day is about dropping support for communicating with broken "DNS servers" that don't support EDNS (one feature of which is support for DNS within UDP packets of size > 512 bytes) - there are currently work-arounds in place that slow down DNS. As support for EDNS has been around for years, it's time the work-arounds were dropped.

 

As an indication of how old this stuff is, I recall testing that EDNS support worked when I rolled out a Cisco FWSM back in 2004/5.

 

You might run into trouble if you're running authorititative DNS servers :-

 

a) On really ancient DNS software (Microsoft DNS has been mentioned although I suspect they're talking about NT4 era)

b) Behind a broken firewall that assumes that DNS packets > 512 bytes is in error. For anything released in the last 5 years this would probably mean a deliberate configuration choice.

 

I'm running some of my authorititative DNS servers behind PA firewalls and have tested them for complience a couple of days ago - no issues. 

View solution in original post

Who Me Too'd this solution