Re: DNS Flag Day, Friday, Feb 1st, 2019

[Mark Andrews <marka () isc org>]

The only ones that could potentially make a “breaking change” on the Feb 1 are Google, Cloudflare and Quad9.  They are 
the public DNS recursive server operators that have committed to removing work arounds.  Google has already stated 
publicly that it will be introducing changes gradually and I expect the other to also do so.  Name server developers DO 
NOT have that power.

Google, Cloudflare and Quad9 are needed so the collectively we don’t need to deal with “but it works with …”.  That 
also the reason for the rest of the vendors doing it in unison.

What is needed next is for infrastructure zone operators to down load the compliance tools and run them on the servers 
listed in their zones daily and then inform the owners of those delegations that their zones are on non-compliant 
servers and give them a dead line to fix them (120 days should be enough time).  If the servers aren’t fixed by the 
dead line the delegation is removed until the servers are fixed or replaced with compliant ones.  This will catch 
operators who install out-of-compliance servers and firewalls.  The reaction so far by DNS server operators to DNS flag 
day shows that this is not actually unreasonable to require.  The fixed code is out there for both name servers and 
firewalls.

Mark

> On 31 Jan 2019, at 2:49 pm, Christopher Morrow <morrowc.lists () gmail com> wrote:
>
>
>
> On Wed, Jan 30, 2019 at 6:23 PM Mark Andrews <marka () isc org> wrote:
> You do realise that when the day was chosen it was just the date after which new versions of name servers by the 
> original group of Open Source DNS
>
> you do realize you are proposing to make a breaking change (breaking change to a global system) on a friday.
> delaying until the following monday would not have mattered to you, I'm sure it's going to matter to other folks 
> though.
>
> thanks,
> -chris
>  
> developers would not have the work arounds incorporated?
>
> For ISC that will be BIND 9.14.0 and no that will not be available Feb 1 but you can use the development version 9.13 
> which has had the code for a while now. 
>
> Individual operators of resolvers will make their own decisions about when to deploy. 
> -- 
> Mark Andrews
>
> On 31 Jan 2019, at 12:55, Christopher Morrow <morrowc.lists () gmail com> wrote:
>
> > On Wed, Jan 30, 2019 at 5:41 PM Jim Popovitch via NANOG <nanog () nanog org> wrote:
> > On Wed, 2019-01-30 at 17:22 -0800, Matthew Petach wrote:
> > > Any chance this could wait until say the Tuesday 
> > > *after* the Superbowl, when we aren't cutting an 
> > > entire religion's worth of potential workers out of 
> > > the workforce available to fix issues in case it 
> > > turns out to be a bigger problem than is expected, 
> > > and when we have less chance of annoying the 
> > > vast army of football-loving fans of every sort? 
> >
> > IIRC, DNS Flag Day was announce way before last years Super Bowl...
> > what did the people who aren't ready for DNS Flag Day do in the past
> > 364 days that they need a few more days to get ready for?
> >
> >
> > Oh, so they had 365 days to plan the time of the event and still picked a friday for that event?
> >
> > https://www.opsview.com/resources/system-administrator/blog/three-reasons-why-not-make-major-it-changes-fridays
> >
> > I see. 

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka () isc org