DNSSEC - Root zone - FUD
dmiller at tiggee.com
Mon May 3 20:16:53 UTC 2010
There has been quite a bit of FUD bouncing around the net regarding the
May 5th signing of the root zone and the sky falling (or at least
massive failures across the internet). I have been asked multiple times
about how I was going to prevent the internet from collapsing for my users.
As I understand it, and please (PLEASE) correct me if I am wrong, the
1. All that is happening on May 5th is that the last root server to
do so (J) will begin serving the DURZ (Deliberately Unvalidatable Root
Zone). All of the other root servers have been serving the DURZ for
quite a while already with no ill effects.
2. All of the root servers are currently responding to regular DNS
queries (i.e. those that do not specifically request DNSSEC) as they
have always done, and after May 5th the root servers will continue to
respond to regular DNS queries as they have always done.
3. Only DNS queries that specifically request DNSSEC (i.e. set the DO
bit in their request) will see any difference in their query responses
from the J root name server on May 5th (all of the other root name
servers are already serving the DURZ today - see 1 above - and have been
responding with unvalidatable DNSSEC responses to queries that request
DNSSEC for a while now).
4. DNSSEC will be in no way REQUIRED after May 5th.
5. In all likelihood, DNSSEC will never be REQUIRED. Even if the
root zone were validly DNSSEC signed and every single TLD/ccTLD DNS zone
on the internet were validly DNSSEC signed and every single DNS
subdomain were validly DNSSEC signed today, a resolving name server that
does not implement DNSSEC in any way would continue to function properly
as it does today.
Despite the Example articles above, which seem to state/imply that May
5th represents some massive shift/change in DNS on the internet, May 5th
is an important milestone but should not affect any end users.
Will implementing DNSSEC in individual infrastructures require
investigating allowed DNS response sizes in those networks? Absolutely.
Is this something that it is important for network operators to begin
Will May 5th be the day that the internet died? No.
More information about the bind-users