2019-01-18 - News - Tony Finch
A couple of items worth noting:
DNS flag day
The major DNS resolver providers have declared February 1st to be DNS Flag Day. (See also the ISC blog item on the DNS flag day.)
DNS resolvers will stop working around broken authoritative DNS servers that do not implement EDNS correctly. The effect will be that DNS resolution may fail in some cases where it used to be slow.
The flag day will take effect immediately on some large public resolvers. In Cambridge, it will take effect on our central resolvers after they are upgraded to BIND 9.14, which is the next stable branch due to be released Q1 this year.
I'm running the development branch 9.13 on my workstation, which already includes the Flag Day changes, and I haven't noticed any additional breakage - but then my personal usage is not particularly heavy nor particularly diverse.
Old DNSSEC root key revoked
Last week the old DNSSEC root key was revoked, so DNSSEC validators that implement RFC 5011 trust anchor updates should have deleted the old key (tag 19036) from their list of trusted keys.
For example, on one of my resolvers the output of rndc managed-keys
now includes the following. (The tag of the old key changed from 19036
to 19164 when the revoke flag was added.)
name: .
keyid: 20326
algorithm: RSASHA256
flags: SEP
next refresh: Fri, 18 Jan 2019 14:28:17 GMT
trusted since: Tue, 11 Jul 2017 15:03:52 GMT
keyid: 19164
algorithm: RSASHA256
flags: REVOKE SEP
next refresh: Fri, 18 Jan 2019 14:28:17 GMT
remove at: Sun, 10 Feb 2019 14:20:18 GMT
trust revoked
This is the penultimate step of the root key rollover; the final step is to delete the revoked key from the root zone.