DNSSEC - Root zone - FUD

Ray Van Dolson rvandolson at esri.com
Mon May 3 20:25:37 UTC 2010 

On Mon, May 03, 2010 at 01:16:53PM -0700, David Miller wrote:
> All,
> 
> There has been quite a bit of FUD bouncing around the net regarding the 
> May 5th signing of the root zone and the sky falling (or at least 
> massive failures across the internet).  I have been asked multiple times 
> about how I was going to prevent the internet from collapsing for my users.
> 
> Examples:
> http://www.theregister.co.uk/2010/04/13/dnssec/
> http://www.itnews.com.au/News/173412,warning-why-your-internet-might-fail-on-may-5.aspx
> 
> As I understand it, and please (PLEASE) correct me if I am wrong, the 
> facts are:
> 
>    1. All that is happening on May 5th is that the last root server to 
> do so (J) will begin serving the DURZ (Deliberately Unvalidatable Root 
> Zone).  All of the other root servers have been serving the DURZ for 
> quite a while already with no ill effects.
>         Reference - 
> http://www.root-dnssec.org/2010/04/14/status-update-april-2010/
> 
>    2. All of the root servers are currently responding to regular DNS 
> queries (i.e. those that do not specifically request DNSSEC) as they 
> have always done, and after May 5th the root servers will continue to 
> respond to regular DNS queries as they have always done.
> 
>    3. Only DNS queries that specifically request DNSSEC (i.e. set the DO 
> bit in their request) will see any difference in their query responses 
> from the J root name server on May 5th (all of the other root name 
> servers are already serving the DURZ today - see 1 above - and have been 
> responding with unvalidatable DNSSEC responses to queries that request 
> DNSSEC for a while now).
> 
>    4. DNSSEC will be in no way REQUIRED after May 5th.
> 
>    5. In all likelihood, DNSSEC will never be REQUIRED.  Even if the 
> root zone were validly DNSSEC signed and every single TLD/ccTLD DNS zone 
> on the internet were validly DNSSEC signed and every single DNS 
> subdomain were validly DNSSEC signed today, a resolving name server that 
> does not implement DNSSEC in any way would continue to function properly 
> as it does today.
> 
> Despite the Example articles above, which seem to state/imply that May 
> 5th represents some massive shift/change in DNS on the internet, May 5th 
> is an important milestone but should not affect any end users.
> 
> Will implementing DNSSEC in individual infrastructures require 
> investigating allowed DNS response sizes in those networks?  Absolutely.
> 
> Is this something that it is important for network operators to begin 
> investigating?  Yes.
> 
> Will May 5th be the day that the internet died?  No.
> 
> -DM

David, I think you're exactly right.  Lots of FUD, but, if I understand
correctly, BIND does by default does send out EDNS0 signalling by
default... so it's still prudent to check your own firewall setups to
ensure you can handle the larger packet sizes.  Worst case you see
delays if they do not.

And most of the time, the delays are out of your hands as it is remote
equipment that is causing the problems.  We've had to disable EDNS for
several such sites as they weren't responsive to requests to "fix"
their networks.

Ray

More information about the bind-users mailing list