DNSSEC - Root zone - FUD

David Miller dmiller at tiggee.com
Mon May 3 20:16:53 UTC 2010 

All,

There has been quite a bit of FUD bouncing around the net regarding the 
May 5th signing of the root zone and the sky falling (or at least 
massive failures across the internet).  I have been asked multiple times 
about how I was going to prevent the internet from collapsing for my users.

Examples:
http://www.theregister.co.uk/2010/04/13/dnssec/
http://www.itnews.com.au/News/173412,warning-why-your-internet-might-fail-on-may-5.aspx

As I understand it, and please (PLEASE) correct me if I am wrong, the 
facts are:

   1. All that is happening on May 5th is that the last root server to 
do so (J) will begin serving the DURZ (Deliberately Unvalidatable Root 
Zone).  All of the other root servers have been serving the DURZ for 
quite a while already with no ill effects.
        Reference - 
http://www.root-dnssec.org/2010/04/14/status-update-april-2010/

   2. All of the root servers are currently responding to regular DNS 
queries (i.e. those that do not specifically request DNSSEC) as they 
have always done, and after May 5th the root servers will continue to 
respond to regular DNS queries as they have always done.

   3. Only DNS queries that specifically request DNSSEC (i.e. set the DO 
bit in their request) will see any difference in their query responses 
from the J root name server on May 5th (all of the other root name 
servers are already serving the DURZ today - see 1 above - and have been 
responding with unvalidatable DNSSEC responses to queries that request 
DNSSEC for a while now).

   4. DNSSEC will be in no way REQUIRED after May 5th.

   5. In all likelihood, DNSSEC will never be REQUIRED.  Even if the 
root zone were validly DNSSEC signed and every single TLD/ccTLD DNS zone 
on the internet were validly DNSSEC signed and every single DNS 
subdomain were validly DNSSEC signed today, a resolving name server that 
does not implement DNSSEC in any way would continue to function properly 
as it does today.

Despite the Example articles above, which seem to state/imply that May 
5th represents some massive shift/change in DNS on the internet, May 5th 
is an important milestone but should not affect any end users.

Will implementing DNSSEC in individual infrastructures require 
investigating allowed DNS response sizes in those networks?  Absolutely.

Is this something that it is important for network operators to begin 
investigating?  Yes.

Will May 5th be the day that the internet died?  No.

-DM

More information about the bind-users mailing list