DNS server upgrades, Tues 18 June

2019-06-12 - News - Tony Finch

On Tuesday 18th June our central DNS resolvers will be upgraded from BIND 9.12.4-P1 to BIND 9.14.2.

DNS Flag Day

The main consequence of this upgrade is that we will be implementing the DNS Flag Day protocol changes. The DNS resolvers will no longer have code to work around broken and buggy domain names. In the past these domains would have been very slow to resolve, whereas in the future they will be more likely to fail completely.

There are very few domains that are broken in this way: most of them were fixed in 2018 during the preparation for the DNS Flag Day.

It is possible for us to configure a workaround for broken domain names. You can use our resolver consistency test page; if our resolvers don't work when other public resolvers do work, you can report the problem to ip-register@uis.cam.ac.uk.

Version numbers

We are skipping from 9.12 to 9.14 because BIND now has an odd/even version numbering scheme: 9.13 was the development version that became 9.14. There is a chart displaying the BIND release numbering plan and support schedule in the BIND 9.14 release announcement

QNAME Minimization

BIND 9.14 includes a DNS privacy enhancement called "query name minimization". This changes the resolver algorithm to avoid leaking details of queries to the root and top-level domain name servers.

QNAME minimization is on by default in BIND 9.14 but we will turn it off. Unfortunately the current implementation causes problems with lame delegations, and there isn't any way to exclude particular broken domain names from QNAME minimization.

There is work in progress to make BIND's QNAME minimization algorithm more lenient, so I hope we will be able to turn it on when BIND 9.16 is released next year.

Encrypted DNS

At the same time as the BIND upgrade, we will also upgrade our implementation of DNS-over-HTTPS and DNS-over-TLS from OpenResty 1.13 to 1.15. OpenResty is a distribution of NGINX with support for application development in Lua, which is used for our doh101 implementation of encrypted DNS.