DNS/EDNS Flag Day?
This seems to have caught a lot of people by surprise, myself included.
Maybe I missed all the big official announcements and warnings about things breaking, or did I?
To cure some persistent security, implementation, and performance problems in the Domain Name System, the lords of the DNS have proclaimed older implementations as end of life. It has been on the cards for a while, but it's worth reminding admins that websites on unready hosts, along with big resolvers and DNS software vendors …
> I think most servers will be OK already. It's only any really old ones that will be affected.
You would think so, but apparently (according to redditards, is that the right word) at least a few of the big ones are (or were a few days ago) failing the tests, not major fails but enough to cock things up.
Fails (or non full compliance) mentioned with AWS, Azure, F5 Networks, Network Solutions, firewalls and packet filters, DNS helpers in NAT boxes that don't allow larger packets and probably a few others I didn't see on a brief glance.
With a chance of that many domains going wrong and hardware that won't handle it properly it's more than slightly disappointing that it has clearly been a surprise for a lot of people.
Are we really trusting these companies to sort themselves out before the deadline?
I haven't heard of it either. Also the version numbers for BIND are odd. The latest number that ISC offers for download (https://www.isc.org/downloads/bind/) is 9.12.3-P1 - earlier than this article speaks of. I run an Ubuntu server (version 9.10.3-P4-Ubuntu is current), so I looked at the Ubuntu packages that ISC offers. Again, the latest version is 9.12.3.P1.
I am not familiar with https://dnsflagday.net, or whether they are actually authoritative. However announcing a flag day two weeks out for which the sw they say is mandatory has not yet been released seems very strange.
Bind: 9.12.3P1 is the latest stable release, 9.13.5 is the latest preview release, and 9.14 is development.
The EDNS support that they say is manditory has been around since 1999.
What they are removing from new versions are all the workarounds and hacks that they have been using to allow them to work with unconforming servers, as this slows down requests and complicates the code.
Unless you've specifically done anything weird, your DNS install will work fine with no changes needed - as will all the DNS software from the major players released over the last 15 years or so! - Bind has supported EDNS since version 8.3.0-RC1 - released in November 2001!
So, big change, but one that has been going on slowly for over 15 years!
Nothing "paranoid" whatsoever about the concern. Networked controllers of a nontrivial chunk of electricity supply. Which could just as easily Read as Write that network.
For a Type of energy supply which has huge one-eyed lobbying by people who can't do engineering, science, or even sums. Such that the energysupply-proportion, and hence risk, is likely to increase over time.
BTW, I think you meant THIS url. It actually works:
Me, I'd be one HELL of a lot more concerned about who precisely is supplying kit to the Smart Meters brigades. (Now compulsory rollouts in both UK & Oz that I know of, not sure where else.)
Because, you see, these are EXPLICITLY DESIGNED to be remote-controls for your house/office/factory.
Talk to the electricity traders on the ST desks, and they go into raptures at the possibilities smart meters offer them. Instead of all that nightmarish demand-modelling and safety margins and blah de blah, with smart meters, they can just dial down the electricity to your house until demand once more reaches the supply they have organised / want to pay for. Profit!
Plus voltage-sensitive kit unable to start up, refrigerators and other current-sensitive things unable to start up, that sort of thing. But hey, it's MODERN!
Point is, if that whole-economy (commercial + retail) supply will soonish be completely subject to remote-control, a Bad Actor can use that selfsame remote-control to shut down the whole-economy.
And China's done precisely that before, and recently -- cf Japan & semiconductors. Japan had got uppity, you see.
Who's supplying the components to the Smart Meters suppliers?
Might be worth mentioning the UK has a further unusual vulnerability there: the switch of all its emergency services (police, fire brigade, ambulance, etc.) to an IP network. Needs serious electricity supply at the back-end + infrastructure to work, unlike POTS. So all those fires, traffic pileups, etc that are just being handled normally, would then not be. Massive additional economy-wide friction (and human cost...) quite quickly.
Likewise Oz, less directly, due to the NBN-driven switchover from POTS to VOIP.
Biting the hand that feeds IT © 1998–2021