ISC has joined with the other major open source DNS publishers in an effort to 
upgrade the DNS by removing workarounds for older, ‘broken’ DNS 
implementations.  We have all committed to having versions of our software 
available that remove these workarounds by February 1, 2019.  This industry 
initiative is described on the web site at and on the 
ISC blog at .

We expect the actual impact of DNS Flag Day will be seen only gradually, and 
will be limited to older (mostly Microsoft) DNS servers and installations with 
overly aggressive DNS firewall rules.  

You might be wondering what you should do.  We have published  a new KB article 
on this topic: 

Authoritative System Operators
BIND authoritative servers are and have been fully compliant for many years, 
and all currently supported versions of BIND are compliant as authoritative 
systems. However, you might wish to test a few of your zones to ensure your 
firewalls are not blocking EDNS traffic. You can test this at either the site, or at  These hosted tests are 
very busy right now. You can also run many of the same tests using dig (see or if you want to test 
a number of domains, you can download and install the edns compliance test tool 

Resolver Operators
BIND resolvers have been doing workarounds for non-BIND non-compliant 
authorities for years. These consist of retrying without EDNS and other similar 
work arounds.  Resolver operators won’t see a change until they update to a 
version of BIND that removes the workarounds. BIND 9.14.0 will remove those 
workarounds: the feature change has been available to development users in BIND 
9.13.4 for a while.  

If you have questions, please feel free to post on so 
we can answer them where everyone will see the answers.

Thank you!

Victoria Risk
Product Manager
Internet Systems Consortium

bind-announce mailing list

Reply via email to