DNS Flag Day, Friday, Feb 1st, 2019

Mark Andrews marka at isc.org
Thu Jan 31 05:18:27 UTC 2019


The only ones that could potentially make a “breaking change” on the Feb 1 are Google, Cloudflare and Quad9.  They are the public DNS recursive server operators that have committed to removing work arounds.  Google has already stated publicly that it will be introducing changes gradually and I expect the other to also do so.  Name server developers DO NOT have that power.

Google, Cloudflare and Quad9 are needed so the collectively we don’t need to deal with “but it works with …”.  That also the reason for the rest of the vendors doing it in unison.

What is needed next is for infrastructure zone operators to down load the compliance tools and run them on the servers listed in their zones daily and then inform the owners of those delegations that their zones are on non-compliant servers and give them a dead line to fix them (120 days should be enough time).  If the servers aren’t fixed by the dead line the delegation is removed until the servers are fixed or replaced with compliant ones.  This will catch operators who install out-of-compliance servers and firewalls.  The reaction so far by DNS server operators to DNS flag day shows that this is not actually unreasonable to require.  The fixed code is out there for both name servers and firewalls.

Mark

> On 31 Jan 2019, at 2:49 pm, Christopher Morrow <morrowc.lists at gmail.com> wrote:
> 
> 
> 
> On Wed, Jan 30, 2019 at 6:23 PM Mark Andrews <marka at isc.org> wrote:
> You do realise that when the day was chosen it was just the date after which new versions of name servers by the original group of Open Source DNS
> 
> you do realize you are proposing to make a breaking change (breaking change to a global system) on a friday.
> delaying until the following monday would not have mattered to you, I'm sure it's going to matter to other folks though.
> 
> thanks,
> -chris
>  
> developers would not have the work arounds incorporated?
> 
> For ISC that will be BIND 9.14.0 and no that will not be available Feb 1 but you can use the development version 9.13 which has had the code for a while now. 
> 
> Individual operators of resolvers will make their own decisions about when to deploy. 
> -- 
> Mark Andrews
> 
> On 31 Jan 2019, at 12:55, Christopher Morrow <morrowc.lists at gmail.com> wrote:
> 
>> 
>> 
>> On Wed, Jan 30, 2019 at 5:41 PM Jim Popovitch via NANOG <nanog at nanog.org> wrote:
>> On Wed, 2019-01-30 at 17:22 -0800, Matthew Petach wrote:
>> > Any chance this could wait until say the Tuesday 
>> > *after* the Superbowl, when we aren't cutting an 
>> > entire religion's worth of potential workers out of 
>> > the workforce available to fix issues in case it 
>> > turns out to be a bigger problem than is expected, 
>> > and when we have less chance of annoying the 
>> > vast army of football-loving fans of every sort? 
>> 
>> IIRC, DNS Flag Day was announce way before last years Super Bowl...
>> what did the people who aren't ready for DNS Flag Day do in the past
>> 364 days that they need a few more days to get ready for?
>> 
>> 
>> Oh, so they had 365 days to plan the time of the event and still picked a friday for that event?
>> 
>> https://www.opsview.com/resources/system-administrator/blog/three-reasons-why-not-make-major-it-changes-fridays
>> 
>> I see. 

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org




More information about the NANOG mailing list