DNSSEC - Root zone - FUD

[David Miller]

All,

There has been quite a bit of FUD bouncing around the net regarding the 
May 5th signing of the root zone and the sky falling (or at least 
massive failures across the internet).  I have been asked multiple times 
about how I was going to prevent the internet from collapsing for my users.


Examples:
http://www.theregister.co.uk/2010/04/13/dnssec/
http://www.itnews.com.au/News/173412,warning-why-your-internet-might-fail-on-may-5.aspx

As I understand it, and please (PLEASE) correct me if I am wrong, the 
facts are:


  1. All that is happening on May 5th is that the last root server to 
do so (J) will begin serving the DURZ (Deliberately Unvalidatable Root 
Zone).  All of the other root servers have been serving the DURZ for 
quite a while already with no ill effects.
   Reference - 
http://www.root-dnssec.org/2010/04/14/status-update-april-2010/


  2. All of the root servers are currently responding to regular DNS 
queries (i.e. those that do not specifically request DNSSEC) as they 
have always done, and after May 5th the root servers will continue to 
respond to regular DNS queries as they have always done.


  3. Only DNS queries that specifically request DNSSEC (i.e. set the DO 
bit in their request) will see any difference in their query responses 
from the J root name server on May 5th (all of the other root name 
servers are already serving the DURZ today - see 1 above - and have been 
responding with unvalidatable DNSSEC responses to queries that request 
DNSSEC for a while now).


  4. DNSSEC will be in no way REQUIRED after May 5th.

  5. In all likelihood, DNSSEC will never be REQUIRED.  Even if the 
root zone were validly DNSSEC signed and every single TLD/ccTLD DNS zone 
on the internet were validly DNSSEC signed and every single DNS 
subdomain were validly DNSSEC signed today, a resolving name server that 
does not implement DNSSEC in any way would continue to function properly 
as it does today.


Despite the Example articles above, which seem to state/imply that May 
5th represents some massive shift/change in DNS on the internet, May 5th 
is an important milestone but should not affect any end users.


Will implementing DNSSEC in individual infrastructures require 
investigating allowed DNS response sizes in those networks?  Absolutely.


Is this something that it is important for network operators to begin 
investigating?  Yes.


Will May 5th be the day that the internet died?  No.

-DM

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC - Root zone - FUD

[Ray Van Dolson]

On Mon, May 03, 2010 at 01:16:53PM -0700, David Miller wrote:
 All,
 
 There has been quite a bit of FUD bouncing around the net regarding the 
 May 5th signing of the root zone and the sky falling (or at least 
 massive failures across the internet).  I have been asked multiple times 
 about how I was going to prevent the internet from collapsing for my users.
 
 Examples:
 http://www.theregister.co.uk/2010/04/13/dnssec/
 http://www.itnews.com.au/News/173412,warning-why-your-internet-might-fail-on-may-5.aspx
 
 As I understand it, and please (PLEASE) correct me if I am wrong, the 
 facts are:
 
1. All that is happening on May 5th is that the last root server to 
 do so (J) will begin serving the DURZ (Deliberately Unvalidatable Root 
 Zone).  All of the other root servers have been serving the DURZ for 
 quite a while already with no ill effects.
 Reference - 
 http://www.root-dnssec.org/2010/04/14/status-update-april-2010/
 
2. All of the root servers are currently responding to regular DNS 
 queries (i.e. those that do not specifically request DNSSEC) as they 
 have always done, and after May 5th the root servers will continue to 
 respond to regular DNS queries as they have always done.
 
3. Only DNS queries that specifically request DNSSEC (i.e. set the DO 
 bit in their request) will see any difference in their query responses 
 from the J root name server on May 5th (all of the other root name 
 servers are already serving the DURZ today - see 1 above - and have been 
 responding with unvalidatable DNSSEC responses to queries that request 
 DNSSEC for a while now).
 
4. DNSSEC will be in no way REQUIRED after May 5th.
 
5. In all likelihood, DNSSEC will never be REQUIRED.  Even if the 
 root zone were validly DNSSEC signed and every single TLD/ccTLD DNS zone 
 on the internet were validly DNSSEC signed and every single DNS 
 subdomain were validly DNSSEC signed today, a resolving name server that 
 does not implement DNSSEC in any way would continue to function properly 
 as it does today.
 
 Despite the Example articles above, which seem to state/imply that May 
 5th represents some massive shift/change in DNS on the internet, May 5th 
 is an important milestone but should not affect any end users.
 
 Will implementing DNSSEC in individual infrastructures require 
 investigating allowed DNS response sizes in those networks?  Absolutely.
 
 Is this something that it is important for network operators to begin 
 investigating?  Yes.
 
 Will May 5th be the day that the internet died?  No.
 
 -DM

David, I think you're exactly right.  Lots of FUD, but, if I understand
correctly, BIND does by default does send out EDNS0 signalling by
default... so it's still prudent to check your own firewall setups to
ensure you can handle the larger packet sizes.  Worst case you see
delays if they do not.

And most of the time, the delays are out of your hands as it is remote
equipment that is causing the problems.  We've had to disable EDNS for
several such sites as they weren't responsive to requests to fix
their networks.

Ray
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users