Happenings in DNS

2019-01-18 - News - Tony Finch

A couple of items worth noting:

DNS flag day

The major DNS resolver providers have declared February 1st to be DNS Flag Day. (See also the ISC blog item on the DNS flag day.)

DNS resolvers will stop working around broken authoritative DNS servers that do not implement EDNS correctly. The effect will be that DNS resolution may fail in some cases where it used to be slow.

The flag day will take effect immediately on some large public resolvers. In Cambridge, it will take effect on our central resolvers after they are upgraded to BIND 9.14, which is the next stable branch due to be released Q1 this year.

I'm running the development branch 9.13 on my workstation, which already includes the Flag Day changes, and I haven't noticed any additional breakage - but then my personal usage is not particularly heavy nor particularly diverse.

Old DNSSEC root key revoked

Last week the old DNSSEC root key was revoked, so DNSSEC validators that implement RFC 5011 trust anchor updates should have deleted the old key (tag 19036) from their list of trusted keys.

For example, on one of my resolvers the output of rndc managed-keys now includes the following. (The tag of the old key changed from 19036 to 19164 when the revoke flag was added.)

name: .
keyid: 20326
    algorithm: RSASHA256
    flags: SEP
    next refresh: Fri, 18 Jan 2019 14:28:17 GMT
    trusted since: Tue, 11 Jul 2017 15:03:52 GMT
keyid: 19164
    algorithm: RSASHA256
    flags: REVOKE SEP
    next refresh: Fri, 18 Jan 2019 14:28:17 GMT
    remove at: Sun, 10 Feb 2019 14:20:18 GMT
    trust revoked

This is the penultimate step of the root key rollover; the final step is to delete the revoked key from the root zone.