[dns-operations] How much trouble am in in on May 5?

bmanning at vacation.karoshi.com bmanning at vacation.karoshi.com
Wed May 5 09:42:51 UTC 2010

On Mon, May 03, 2010 at 10:30:29PM -0700, David Ulevitch wrote:
> On May 3, 2010, at 7:53 PM, Mark Andrews <marka at isc.org> wrote:
> > Until you do this resolvers will just treat your zone
> >as being insecure.
> Time will tell if using DNSSEC makes your zone more secure. We don't  
> know the answer to that one yet.  We know the current DNS security  
> model is weak.
> For the vast majority of Internet users, May 5th is a day signifying  
> nothing. For DNSSEC enabled users, it's a day that marks the removal  
> of one of the few remaining hurdles on the road towards having a means  
> of validating and verifying DNS responses. 

	its worse than that... hes dead Jim.
	the concern is that DNS messages from the root
	will exceed the original DNS spec size.  e.g.
	the messages will be about 800 bytes instead of just less 
	than 512 bytes.

	concerns about PMTU, Fragmentation, EDNS0, and TCP support
	all emerge from the existance of larger DNS messages.

	that being said, 05may is a first step - the event will
	flush out any nodes priming from the root that have path issues.

	the second, more subtle event is the cache timeout interval
	on the unsigned data - when the IMRs will refresh and find 
	signed data.  this will be ongoing for the next couple weeks.


More information about the dns-operations mailing list