Roskomnadzor has implemented changes to the procedure for utilizing the national domain names system (NSDI) following a malfunction in the RU domain zone on January 30. The updates are aimed at mitigating risks associated with the inability to access sites in the RU zone if the DNSSEC signature fails. This issue led to temporary inaccessibility of Russian websites after the DNSSEC key update.
The draft order issued by Roskomnadzor introduces amendments to the current NSDI usage procedure, with the main focus being on reducing the number of ways in which Internet providers can connect to the system. The agency seeks to eliminate options that pose a risk to accessing sites in the RU zone in case the DNSSEC signature validation fails.
Specifically, the methods of connecting that involve direct access to the authoritative servers of the NSDI root zone and copying the root zone will be removed from the list. These excluded methods include settings for copying the root zone from the authoritative server of the root zone of the national domain name system and resolver settings for using an authoritative server of the root zone of the national domain names system.
Roskomnadzor will retain the safer connection methods, such as settings of the resolvers of the national domain name system as forwarders and settings for using public resolvers of the national domain name system. According to an explanatory note, these methods ensure that communication operators, owners of autonomous systems, and hosting providers access caching servers of the national name system, which are monitored 24/7. In case of a DNSSEC incident, these settings are promptly utilized to prevent disruptions to Internet resources in the RU zone.
The document clarifies that the updates will not entail additional financing from the federal budget nor necessitate the enactment of extra regulatory laws.