DNSSEC...not a bang but a whimper?

Published: 2010-05-04
Last Updated: 2010-05-05 19:07:08 UTC
by Rick Wanner (Version: 2)
3 comment(s)

Tonight is the night that DNSSEC is enabled between the DNS root servers. I am not going to go into detail since the good people at the other ISC have already done a wonderful job of that in their posting.

Lots of the usual hype in the usual places including The Register, slashdot, etc.  The fact is that this really only affects the way your ISPs talk DNS to the root servers. I suspect most users are using their ISPs DNS servers which will continue to talk to their customers the old way.  It may cause problems for some users who are hosting their own DNS servers behind antiquated firewalls, but for the most part this will be a non-event.

What I find interesting is that using the resolver test at RIPE, my OpenDNS provided resolvers fail.  

Hopefully that will be fixed before the big event.


Update:  OpenDNS responded to my query with a pointer to a forum article.  It seems they are just fine.


-- Rick Wanner - rwanner at isc dot sans dot org

Keywords: DNSSEC
3 comment(s)


The test tools provided by RIPE etc imply that there will be problems if your DNS server doesn't support EDNS. I think this is the source of all the fear about DNS dying. OpenDNS have published a statement about this also. I feel ripe etc have misled people in regards to this as lack of EDNS actually just means you wont use DNSSEC and will continue to use standard DNS.

Windows 2003 SP2

Added HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters
EDNSCacheTimeout DWORD 3600
EnableEDNSProbes DWORD 1

(As suggested by Help > Modify EDNS0 configuration)

After doing so (and restarting the DNS service), the test program failed:

I was unable to run the test because of an internal software error. This could be caused by restrictions of the Java virtual machine on your system.

The test did NOT fail prior to these changes.

The registry change was reverted (deleted the two new DWORDs) and the "Your resolver was only able to get packets SMALLER than 512 bytes." message was again received by the test program.
Exception, as far as I understand with this test you need to run it through a Windows Server. I do not currently have a server so the tests run fine except that there is no DNSSEC and no ESDN.

Diary Archives