[Pdns-users] DNSSEC changes - May 5th

Barron, Josh jbarron at afsnetworks.com
Tue May 4 15:19:36 UTC 2010


Hello all,

 

I've been asked to look into the issues stemming from the changes being
rolled out in a testing form at the root name servers starting May 5th
and permanently applied on July 1st

 

>From my basic reading of the issue, it appears that packet reply sizes
will be much bigger starting May 5th, and some servers / routers &
firewalls may not be equipped to handle it.

 

A test of our recursive server (running PDNS) shows it appears we are
indeed affected by this.  Does anyone have any advice on what the actual
issue is?  Is it our servers, our router?  The information out there is
kind of vague at best.

 

Below (results of a test to our server using dig and another server):

 

[jbarron at ops-ns1-srv01 ~]$  dig +short rs.dns-oarc.net txt

rst.x476.rs.dns-oarc.net.

rst.x485.x476.rs.dns-oarc.net.

rst.x490.x485.x476.rs.dns-oarc.net.

"Tested at 2010-05-04 15:05:36 UTC"

"216.222.1.2 DNS reply size limit is at least 490"

"216.222.1.2 lacks EDNS, defaults to 512"

 

[jbarron at ops-ns1-srv01 ~]$  dig @4.2.2.2 +short rs.dns-oarc.net txt

rst.x3827.rs.dns-oarc.net.

rst.x3837.x3827.rs.dns-oarc.net.

rst.x3843.x3837.x3827.rs.dns-oarc.net.

"Tested at 2010-05-04 15:08:42 UTC"

"192.221.163.127 sent EDNS buffer size 4096"

"192.221.163.127 DNS reply size limit is at least 3843"

 

 

Thanks so much!

Josh Barron

American Fiber Systems 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20100504/0372d19c/attachment.html>


More information about the Pdns-users mailing list