Sysadmins told to update their software or risk killing the internet

Re: I feel the need to raise a change request

BAHAHAHA. Brilliant!

DNS is such a live wire that I once submitted a change request where the risk was "all zones are corrupted, Company services go offline, customers fail to make payroll, and Company never recovers."

Re: What?

"That's some exageration right there. DNS is not required for the internet to work. Sure stuff will break because of its reliance on DNS, but the whole of the internet? seriously? it will just cut you off? lol"

You'd be surprised* how few Internet services use hardcoded IP addresses. How load balancers rely on DNS. And web sites and email. And database connectors, monitoring, backups, host administration, logging, IDP, and cloud...everything. Yes, the Internet relies on DNS resolution.

*not many would be surprised, but clearly you would be.

Re: BIND >9.7

I think this is the new key:

# This key (20326) is to be published in the root zone in 2017.

# Servers which were already using the old key (19036) should

# roll seamlessly to this new one via RFC 5011 rollover. Servers

# being set up for the first time can use the contents of this

# file as initializing keys; thereafter, the keys in the

# managed key database will be trusted and maintained

# automatically.

. initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3

+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv

ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF

0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e

oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd

RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN

R1AkUTV74bU=";

Re: BIND >9.7

The article isn't quite clear to me - seems as if this is specific to DNSSEC ? if I just grep for the word key in my bind 9.8 config there are 0 matches(and I have never ever worked with DNSSEC - yes have run authoritative DNS since 1996(for personal stuff, company I work for uses dynect for external DNS hosting) as well as caching DNS for internal stuff)

I read an interesting(perhaps amusing?) post by someone earlier this year that talked about how bad DNSSEC(it went into quite a bit of technical detail why DNSSEC was basically worthless) was and to just not bother with it. Can't find the link at the moment, it was good. Not that I needed convincing to (not) use DNSSEC.

edit: I think this is the link:

https://sockpuppet.org/blog/2015/01/15/against-dnssec/

Re: Further changes I expect

What number should I call to get all this?

Re: Had to start somewhere.

Just to put this in context.

Samples of the new £1 coins and £5 notes were avaible to companies involved in making and mainting coin operated devices for over 6 months (I'm sure I saw a quote from Royal Mint saying it was actually 18 months, but I can't find that).

100% were ready on day one weren't they?

Re: Simple Fix

I'm giving you an UpVote before the "DON'T USE GOOGLE DNS! ARE YOU EFFING *MAD*?!?" crowd arrives.

Those are really useful, and, as was pointed out above, it's (Not Bloody Difficult) easy to change DNS really fast, and for a short period of time.

I run my own DNS (my personal stuff, my company, the better-half's company, our client's companies, &c.), and we use DNSSec...but really:

1. Patch, patch, patch yer' crap. Just keep up on BIND and you're mostly home.

2. It's {severely edited for length and *cough* content} time those keys were changed.

3. If it all goes Pear, we can all take a holiday while ICANN(ot) and/or $ISP get their shit together (and wouldn't That be nice?).