DNS Flag Day And Array ADCs

May 26, 2021

Last Friday was officially DNS Flag Day. Going forward, DNS software and service providers will remove workarounds for non-compliant systems in order to improve DNS efficiency, and to support new mechanisms for DDoS protection. This change will affect servers that do not comply with the original DNS standard (RFC1035) or the EDNS standard (RFCs 2671 and 6891).

If you’re using Array’s APV Series application delivery controllers with the latest software updates, however, there’s no need to worry. DNS Flag day has no impact on APV Series appliances regardless of whether SDNS is used as your authoritative servers or server load balancing is used to for your DNS servers.

If you use SDNS as your DNS authoritative servers, APV versions 8.6 and 8.6.1 and later with the Full DNS function enabled will properly return DNS replies when DNS queries are received, either with or without EDNS extensions. If DNS queries with EDNS extensions are received, SDNS ignores the extensions and returns DNS replies without them.

If you are using the most recent software release (APV or later), SDNS will process DNS queries with the DNSSEC and Client Subnet extensions, then return the DNS queries with the corresponding EDNS extensions. This option requires that you enable the APV Series’ SDNS DNSSEC function (described in the APV user guide).

Similarly, if you are using the APV Series’ server load balancing for your DNS servers, no other configuration than DNS SLB is needed. There is, however, a limit of 512 bytes on DNS replies. If you encounter DNS failures due to the limitation, contact your Array reseller or representative for information on an alternative method to DNS SLB.

Some older-model APV Series ADCs, and all previous-generation TMX and TM Series ADCs, cannot be upgraded to the latest software releases however. Contact your Array representative or reseller for information on upgrade programs.

The latest APV versions also support IPv6 transition, as well as 2048 and 4096-bit encryption keys. Combined with the changes to DNS, these technologies are helping keep networks accessible and more secure for the future. Happy DNS Flag Day, everyone!

Roland Hsu