01-29-2019 02:14 AM
In short, DNS flag day is about dropping support for communicating with broken "DNS servers" that don't support EDNS (one feature of which is support for DNS within UDP packets of size > 512 bytes) - there are currently work-arounds in place that slow down DNS. As support for EDNS has been around for years, it's time the work-arounds were dropped.
As an indication of how old this stuff is, I recall testing that EDNS support worked when I rolled out a Cisco FWSM back in 2004/5.
You might run into trouble if you're running authorititative DNS servers :-
a) On really ancient DNS software (Microsoft DNS has been mentioned although I suspect they're talking about NT4 era)
b) Behind a broken firewall that assumes that DNS packets > 512 bytes is in error. For anything released in the last 5 years this would probably mean a deliberate configuration choice.
I'm running some of my authorititative DNS servers behind PA firewalls and have tested them for complience a couple of days ago - no issues.
