DNS Flag Day 2024 Phasing Out RSAMD5 for a More Secure DNS Infrastructure

DNS Flag Day 2024 represents yet another pivotal moment in the ongoing evolution of the Domain Name System, signaling the coordinated global effort by DNS vendors, operators, and stakeholders to retire deprecated or harmful features from active use. The focus of this year’s initiative is the final removal of support for the RSAMD5 algorithm, a cryptographic signature method once used in DNSSEC but long considered obsolete and insecure. The decision to deprecate RSAMD5 is not merely a matter of cleaning up legacy code—it is an essential step toward reinforcing the cryptographic trust model that DNSSEC relies on, aligning DNS infrastructure with modern security standards, and mitigating the risk posed by cryptographic algorithms that have failed to keep pace with contemporary threat models.

RSAMD5, designated as algorithm number 1 in DNSSEC, combines the RSA encryption algorithm with the MD5 hashing function to digitally sign DNS records. When introduced in the late 1990s, this pairing provided a relatively efficient and widely implemented means of authenticating DNS data. However, the security community has since recognized MD5’s inherent weaknesses, particularly its vulnerability to collision attacks. In a collision attack, two different inputs can produce the same MD5 hash, enabling an attacker to substitute malicious content while maintaining the appearance of a valid signature. This vulnerability undermines the very guarantees of data integrity and authenticity that DNSSEC is meant to provide.

The formal deprecation of RSAMD5 began many years prior to DNS Flag Day 2024. In 2007, RFC 4635 moved RSAMD5 to historic status, discouraging further use due to the compromised nature of MD5. Over the years, DNSSEC operators and tools gradually began to favor more secure algorithms such as RSASHA256 (algorithm 8), ECDSAP256SHA256 (algorithm 13), and Ed25519 (algorithm 15). However, RSAMD5 persisted in some edge cases, legacy systems, and misconfigured name servers, often lurking unnoticed in obscure zones or outdated software packages. This residual presence posed a systemic risk, particularly in resolvers and libraries that retained code paths for validating RSAMD5 signatures. Continued support for the algorithm meant maintaining unnecessary complexity and exposing validation logic to potential exploitation.

DNS Flag Day 2024 marks the turning point where the DNS community collectively agreed to eliminate RSAMD5 from both authoritative servers and validating resolvers. This coordination ensures that RSAMD5 is not merely discouraged but actively ignored and rejected across the ecosystem. Participating resolver implementations, including widely used software such as BIND, Unbound, PowerDNS, and Knot Resolver, now refuse to validate any signatures created using RSAMD5, treating them as invalid regardless of their content. Similarly, major authoritative name server software no longer allows the generation or publication of DNSSEC signatures using algorithm 1. The result is a de facto invalidation of RSAMD5 as a viable cryptographic option in DNSSEC, forcing remaining users to migrate to supported, secure alternatives.

This transition did not occur overnight. The lead-up to DNS Flag Day 2024 involved extensive outreach, testing, and tooling support to help zone operators identify and remediate the use of RSAMD5. Tools such as Zonemaster, DNSViz, and the ISC’s DNSSEC analyzer were updated to flag RSAMD5 usage explicitly, offering actionable diagnostics for administrators. Data collection efforts by large resolver operators and research networks provided visibility into the residual deployment of RSAMD5, demonstrating that its usage was limited and largely confined to inactive or misconfigured zones. Mailing lists, conferences, and technical documentation disseminated clear migration paths, typically involving re-signing zones with RSASHA256 or ECDSA algorithms and updating DS records at parent zones.

From an operational standpoint, the removal of RSAMD5 aligns with broader efforts to modernize DNSSEC and improve its cryptographic agility. The algorithm registry for DNSSEC has grown to include not only newer and stronger signature algorithms but also more efficient ones—reducing computational load and bandwidth consumption. For instance, Ed25519 provides strong security properties with smaller signature sizes, improving performance on constrained devices and in high-throughput scenarios. By eliminating legacy algorithms like RSAMD5, DNS software can streamline their cryptographic libraries, reduce attack surfaces, and focus on optimizing support for algorithms that meet today’s security expectations.

The security implications of phasing out RSAMD5 extend beyond theoretical concerns. Although no large-scale exploit of RSAMD5 in DNSSEC has been observed in the wild, the continued presence of insecure algorithms within critical infrastructure creates unnecessary risk. Attackers targeting edge-case vulnerabilities often focus on neglected or poorly maintained systems where such deprecated features remain active. By removing support for RSAMD5 entirely, DNS operators close off one such avenue for abuse, contributing to a more uniformly hardened global DNS infrastructure.

Moreover, DNS Flag Day 2024 reinforces the value of coordinated action in the DNS community. The distributed nature of DNS makes change difficult; without alignment among software vendors, registries, ISPs, and enterprises, even well-intentioned initiatives can fail due to fragmentation. The Flag Day model, introduced in 2019 to address broken EDNS implementations, has proven effective at aligning stakeholders toward common goals. By setting clear deprecation targets, communicating timelines in advance, and ensuring widespread participation, Flag Days help to shift the inertia of legacy dependencies in favor of a more secure and interoperable DNS ecosystem.

For operators still relying on RSAMD5 as of 2024, the pathway forward is clear but urgent. DNS zones must be re-signed using supported algorithms, which often requires coordination with DNS hosting providers and parent registries, particularly where DS records are involved. In cases where automated signing tools or appliances are in use, firmware or software updates may be necessary to enable alternative algorithms and disable RSAMD5. Importantly, DNSSEC validation failures caused by lingering RSAMD5 records will not be seen as resolver misbehavior, but as zone misconfiguration—placing the burden of compliance squarely on authoritative operators.

In conclusion, DNS Flag Day 2024’s focus on phasing out RSAMD5 is a landmark in the progression of DNS security. It reflects the maturation of the DNSSEC ecosystem and the willingness of the internet community to retire obsolete technologies in favor of stronger, safer alternatives. By decisively removing RSAMD5 from active deployment, DNS operators and software developers are helping to future-proof the foundational layer of the internet’s naming system. The lessons of this transition will inform future deprecations and serve as a model for managing cryptographic evolution across a global, distributed infrastructure. As DNS continues to evolve in response to new demands and threats, such collaborative actions are essential to maintaining the trust, performance, and security of the internet at large.

DNS Flag Day 2024 represents yet another pivotal moment in the ongoing evolution of the Domain Name System, signaling the coordinated global effort by DNS vendors, operators, and stakeholders to retire deprecated or harmful features from active use. The focus of this year’s initiative is the final removal of support for the RSAMD5 algorithm, a…