This coming Friday, February 1st 2019, DNS software and service providers will be taking part in DNS Flag Day, which aims to promote the use of EDNS (Extension Mechanism for DNS). EDNS was first published in 1999, and has been supported by most DNS software for many years.
Unfortunately, this support is not yet universal, which has required most DNS software and service providers to work around authorities that are not yet RFC compliant. These workarounds are having a detrimental effect to the DNS overall, which is the motivation for DNS Flag Day
Umbrella has supported EDNS for a very long time, and in fact, relies heavily on EDNS to communicate identity and apply policy. Like most major recursive DNS providers, we have also implemented workarounds for retrying DNS queries without EDNS if an authority failed to properly respond to a query sent with EDNS enabled.
Umbrella supports the efforts of DNS Flag Day in simplifying the DNS. While our eventual plan is to remove support for the EDNS workaround, based on research conducted in greater DNS community, this change could result in a small number of domains being unreachable for some users. Therefore, in the best interests of our customers, we plan to validate those findings before we begin to phase out the workaround in a staged manner.
You can validate your domain’s support for EDNS today by checking your domain with the ISC EDNS Compliance Tester. In particular, ensure that your domain does not show edns=timeout, as this could mean your domain may experience issues. It’s worth emphasizing that we do not require an authority to support EDNS per se, but we would require them to properly signal that lack of support if they receive a query with EDNS enabled. When the workaround is removed, authorities who do not properly signal that they do not support EDNS will not be retried. If you have additional questions or concerns, please contact Umbrella Support for help.
We recommend all DNS owners work to ensure all of the ISC tests pass (=ok), but the minimum level of support required is that the domain does not specifically show edns=timeout.
This article has been edited from its original form in order to clarify Umbrella's position.