On Mon, 8 Jan 2018, Hugo Salgado-Hernández wrote:
After the patch was released, how long it takes to pass downstream to common OS distros?
It depends. For instance for RHEL, it will be fixed in 7.5. But had we actually not aborted the roll, Red Hat would have done a accelerated update to fix this issue.
At this point, 4 months later, can we assume that a competent operator, with current OS with updated patches, is "safe from the rollover"?
Yes, and not only that, for this issue we could have rolled on the original date as well.
I wonder if ICANN in their research and direct contact with operators have found evidence of any bug, outdated distros, incorrect manuals, bad practices, etc., that demonstrate a "structural" problem with rollover procedures.
That is what I asked about as well. What have they learned, and how did they try to learn this? If it were very regional centric, did they reach out to that region further? How do modern deployments that include a DNS server look like? Has anyone checked popular AMI's? Checked with openshift, openstack, docker? Asked companies that deploy many containers how they do DNS? Or asked the bleeding end web front/backend people what they do and how? The only reason for waiting is to await more data. If we are not getting new data, then based on what we know, the faulty deployments won't vanish over time, so there is no point in waiting. Although if we do see a decrease over time, then where is it decreasing, and can we link some staggered decrease to the release of something opensource? Paul