View Full Version : Will DNSSEC kill your internet?
http://www.theregister.co.uk/2010/04/13/dnssec/
Can some tech person please explain this to me and explain how to keep my DNS working. I ran the Java App from RIPE and it says
Your resolver was only able to get packets SMALLER than 512 bytes This usually implies that a packet filter or firewall is blocking UDP packets bigger than 512 bytes from reaching your resolver. Your resolver works now, although it is probably not able to resolve some names. However, when the root zone is signed your resolver will not be able to receive most responses, and it is possible that you will lose DNS service. You should reconfigure your firewall or packet filter to allow large UDP packets through.
I am using the Virgin Media supplied netgear firewall.
Final paragraph from that Reg article:
Home users using residential hubs should not panic if these tests return scary results. According to Mitchell, it currently only matters that the ISP supports DNSSEC. A dodgy Netgear box is not enough to kill your internet... cross fingers.
;)
Sir John Luke
14-04-2010, 12:09
Question is - will DNSSEC break VM's DNS hi-jacking? (Not that it bothers me - I don't use VM's DNS servers).
I note that DNSSEC behaviour has changed on VM's caching platform - EDNS0 seems to have been turned on, and you can get results for the existing signed zones:
dig @194.168.4.100 txt test.rs.ripe.net +short
rst.x1388.rs.ripe.net.
rst.x1358.x1388.rs.ripe.net.
rst.x1364.x1358.x1388.rs.ripe.net.
"80.4.224.148 DNS reply size limit is at least 1388 bytes"
"80.4.224.148 sent EDNS buffer size 1400"
"80.4.224.148 summary bs=1400,rs=1388,edns=1,do=1"
; <<>> DiG 9.3.5-P1 <<>> @194.168.4.100 www.nist.gov +dnssec
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 704
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4000
;; QUESTION SECTION:
;www.nist.gov. IN A
;; ANSWER SECTION:
www.nist.gov. 1800 IN CNAME www-14.nist.gov.
www.nist.gov. 1800 IN RRSIG CNAME 5 3 1800 20100609180354 20100510180354 63462 nist.gov. Odb8BeCOmpmz0Uqlzzo8JgkCJhpYY6xGr/HEb8r8yxtwodCwfERA6XNU roQir4bP8JIapRczuwdDr9JqfN83bWBxgRvHulXnZqEzHn7LtH WyzcT8 lhC5WMFzgOXEcnFGxZp2g8iWeZtyt5MT5/jcdBt6vzEOAMEy2nJ69ztI Lzk=
www-14.nist.gov. 1800 IN A 129.6.13.45
www-14.nist.gov. 1800 IN RRSIG A 5 3 1800 20100609180354 20100510180354 63462 nist.gov. qpl+b7EfeVq16KKnytB7kG0t/WV5HEnjdMSHOLZIHdl+UCjhHqfvVpcM 9LVZefv7K52o6PGZe1kmFqVoMAxh4RSoVSJYOo6ccANmJcz7r2 uT0/IX Z2kAQb2VyAU99b5flG+bMJ07k+XKJJFToZR++tJkMd79zqx4vg eh4Rig bWA=
;; Query time: 371 msec
;; SERVER: 194.168.4.100#53(194.168.4.100)
;; WHEN: Tue May 11 12:02:50 2010
;; MSG SIZE rcvd: 414
The internets appear to be saved.
pip08456
11-05-2010, 12:11
"from 5 May all the DNS root servers will respond with signed DNSSEC answers."
Which answers your question as
"The standard is currently being rolled out cautiously to the internet's DNS root servers. In May, when all 13 roots are signed, anybody with an incompatible firewall or ISP will know about it, because they won't be able to find websites or send email."
In other words if it is working now it will continue to do so as any problem for you would've surfaced on 5th May when it was implemented.
The article quoted by both yourself and others is from 13th April.
vBulletin® v3.8.11, Copyright ©2000-2024, vBulletin Solutions Inc.