2/ In 1999, an extension was added to DNS. Since them, a bunch of DNS clients have behaved badly with the extensions, so DNS servers have implemented workarounds to stop things from breaking.
-
Show this thread
-
3/ But this prevents the state of DNS from improving, holding back evolution. So the most popular DNS servers have agreed that as Feb. 1, they are going to stop providing these workarounds, so some ancient (we are talking 19 years here) clients will break.
1 reply 2 retweets 11 likesShow this thread -
4/ Most users won't notice. But some automated systems, may some industrial systems, will confusingly fail because they can no longer resolve some names when these servers are updated to the latest version.
1 reply 2 retweets 10 likesShow this thread -
5/ The orgs pushing this have some tools to check some things, but the easiest way is to put a packet sniffer on the wire and test which clients are generating requests that don't include EDNS0 flags in them. Those clients may have issues, if not now, eventually.
5 replies 4 retweets 17 likesShow this thread -
Replying to @ErrataRob
This is the wrong way around :) EDNS0 isn't becoming mandatory for clients. Clients that don't support EDNS0 will work just fine. It's that domains with buggy EDNS0 implementations on the auth side will stop working for users of updated Bind, Knot, Unbound, PowerDNS resolvers.
1 reply 1 retweet 2 likes -
Replying to @colmmacc
Yes, but when a domain is bad, it's the people running the clients who will notice. My latest Windows 10 client is fine, but going through an up-to-date BIND resolver, Feb 2 I notice it no longer works on a certain domain.
2 replies 0 retweets 0 likes -
Replying to @ErrataRob
You're an awesome dude that I look up to! Take a breath! I think 5/ is just wrong :) Clients generating or not generating EDNS0 has nothing to do with this.
1 reply 0 retweets 0 likes
To do a meaningful packet sniff test you'd have to do something like dig +edns0 @[auth server] and see how the authoritative server responds. Most clients don't have a mode like that, and you'd need to do for every domain you're curious about.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.