DNS flag day


  • Banned

    For those that use Quad9 or Cloudflare, to keep in mind once pfSense moves to unbound 1.9, and also for everyone that runs a public DNS read up on the DNS flag day: https://dnsflagday.net/


  • LAYER 8 Global Moderator

    I had brought this up in the mod area, pfsense/netgate should make some sort of announcement when they move unbound to 1.9 or the BIND package updates... But they are not sure when that will be, etc. I have not even seen unbound announce if they will release on dnsflagday or not - do you have a link from unbound on their actual release of 1.9? Then it has to port to freebsd, and then it has to be pulled down by pfsense... So I doubt it will happen on flag day.

    But yeah it would be the good thing to do is make some sort of official announcement when it does happen. I don't think it will be much of an issue - but if we get many questions/posts about it - we will have an actual pfsense/netgate announcement about it, etc.. That we can direct them too.


  • Banned

    @johnpoz said in DNS flag day:

    But yeah it would be the good thing to do is make some sort of official announcement when it does happen. I don't think it will be much of an issue - but if we get many questions/posts about it - we will have an actual pfsense/netgate announcement about it, etc.. That we can direct them too.

    The bigger problem is IMHO the users of Quad9 and Cloudflare as they will stop resolving broken domains, among them sites like aliexpress and alibaba. So those user will then come here and complain that pfSense suddenly stopped resolving those domains, not understanding that the "issue" is upstream.

    Of course there is a chance that the admins of these sites get their act together in time, but I wouldn't bet on it.


  • Rebel Alliance Developer Netgate

    The issues raised by that are more for server and firewall admins than DNS resolving clients.

    As long as your firewall passes large DNS packets (which pfSense has since forever) and the DNS server for your domain(s) answers properly, then there is nothing to worry about.

    When unbound 1.9 makes its way in, broken domains may fail to resolve but that isn't an Unbound issue, it's a problem with the servers/domains.

    Even if we pull in Unbound 1.9 the day it's released, it would go into the dev version not a release, so there will be plenty of time to test things when that happens.


  • LAYER 8 Global Moderator

    @jimp said in DNS flag day:

    Even if we pull in Unbound 1.9 the day it's released, it would go into the dev version not a release, so there will be plenty of time to test things when that happens.

    Exactly... But when that does happen some mention of the change might be a good thing.. Since Im with Grimson here if something fails to resolve no matter that the reason is upstream or unbound, etc. They will blame pfsense - they always blame pfsense ;) So having an official announcement about the changes that come with unbound 1.9, or Bind when it rolls into pfsense would be nice to point the users that try and blame pfsense too..


Log in to reply