Log in

No account? Create an account


Signing the root zone.

« previous entry | next entry »
11th Dec 2009 | 17:06

If you are a DNS, network, or firewall operator, you need to be aware that the root zone of the DNS is going to be signed with DNSSEC in stages during the first half of 2010.

You need to ensure that any packet filters between your recursive DNS resolvers and the public Internet do not block UDP DNS packets larger than 512 bytes, and that they do not block fragmented UDP packets, and that they do not block ICMP "fragmentation needed" packets, and that they do not block DNS-over-TCP.

The reason for this is that DNSSEC makes DNS packets larger, since as well as the answer they must also contain a cryptographic proof that the answer is correct. Misconfigurations that are benign with insecure DNS can cause problems with the move towards DNSSEC. The DNS Operations and Analysis Research Centre has a reply size tester which you can use to check that your systems are compatible with large DNS reply packets.

See these presentation slides for some details on the process of signing the root zone. See this blog post from RIPE, operators of the K root server, for some information about how they are preparing for the change.

ICANN have published a paper about the predicted effects of DNSSEC on broadband routers and firewalls. Gaurab Raj Upadhaya has published a few slides about EDNS0, the DNS extension protocol that enables large packets.

Please go out and check your DNS resolvers before they break!

| Leave a comment |

Comments {1}


from: nonameyet
date: 14th Dec 2009 12:54 (UTC)

Thanks for the tester link.

The resolver on my Virgin broadband link doesn't support EDNS so I "emailed" them (through a web page) to ask what their plans to upgrade their DNS for DNSSEC, and got a reply soon after the start of the business week.
Apparently the fact that my local resolver does not support EDNS is a technical issue which can be resolved by their technical team if I phone them.

Reply | Thread