Well, folks,
There's an article on slashdot, http://tech.slashdot.org/article.pl?sid=10/04/30/1258234
Excerpt: ...the coming milestone of May 5, at 17:00 UTC at this time DNSSEC will be rolled out across all 13 root servers. Some Internet users, especially those inside corporations and behind smaller ISPs, may experience intermittent problems. The reason is that some older networking equipment is pre-configured to block any reply to a DNS request that exceeds 512 bytes in size. DNSSEC replies are typically four times as large. --- end excerpt ---
I followed the link from the story to https://www.dns-oarc.net/oarc/services/replysizetest, a coordinating organization, and tried their test (as root): dig +short rs.dns-oarc.net txt
And see that where I work, we're not ready. Is anyone following this, and/or have a HOWTO on enabling it for CentOS?
mark (need to check this at home, too)
Hi,
It's enabled by default if BIND is the right version nothing needs to be done.
I found it kind of sad that the version of BIND that comes with the latest version of CentOS 4 is so old that it doesn't support DNSSEC.
thanks, -Drew XLHost.com -----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of m.roth@5-cent.us Sent: Friday, April 30, 2010 1:07 PM To: CentOS mailing list Subject: [CentOS] DNSSEC
Well, folks,
There's an article on slashdot, http://tech.slashdot.org/article.pl?sid=10/04/30/1258234
Excerpt: ...the coming milestone of May 5, at 17:00 UTC - at this time DNSSEC will be rolled out across all 13 root servers. Some Internet users, especially those inside corporations and behind smaller ISPs, may experience intermittent problems. The reason is that some older networking equipment is pre-configured to block any reply to a DNS request that exceeds 512 bytes in size. DNSSEC replies are typically four times as large. --- end excerpt ---
I followed the link from the story to https://www.dns-oarc.net/oarc/services/replysizetest, a coordinating organization, and tried their test (as root): dig +short rs.dns-oarc.net txt
And see that where I work, we're not ready. Is anyone following this, and/or have a HOWTO on enabling it for CentOS?
mark (need to check this at home, too)
_______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Drew wrote:
Behalf Of m.roth@5-cent.us Sent: Friday, April 30, 2010 1:07 PM
There's an article on slashdot, http://tech.slashdot.org/article.pl?sid=10/04/30/1258234
Excerpt: ...the coming milestone of May 5, at 17:00 UTC - at this time DNSSEC will be rolled out across all 13 root servers. Some Internet users, especially those inside corporations and behind smaller ISPs, may experience intermittent problems. The reason is that some older networking equipment is pre-configured to block any reply to a DNS request that exceeds 512 bytes in size. DNSSEC replies are typically four times as large. --- end excerpt ---
I followed the link from the story to https://www.dns-oarc.net/oarc/services/replysizetest, a coordinating organization, and tried their test (as root): dig +short rs.dns-oarc.net txt
And see that where I work, we're not ready. Is anyone following this, and/or have a HOWTO on enabling it for CentOS?
It's enabled by default if BIND is the right version nothing needs to be done.
I found it kind of sad that the version of BIND that comes with the latest version of CentOS 4 is so old that it doesn't support DNSSEC.
So it doesn't look like our servers run bind; it's the network folks.... I wonder if my boss should contact them....
mark
m.roth@5-cent.us wrote:
Well, folks,
There's an article on slashdot, http://tech.slashdot.org/article.pl?sid=10/04/30/1258234
Excerpt: ...the coming milestone of May 5, at 17:00 UTC --- at this time DNSSEC will be rolled out across all 13 root servers. Some Internet users, especially those inside corporations and behind smaller ISPs, may experience intermittent problems. The reason is that some older networking equipment is pre-configured to block any reply to a DNS request that exceeds 512 bytes in size. DNSSEC replies are typically four times as large. --- end excerpt ---
I followed the link from the story to https://www.dns-oarc.net/oarc/services/replysizetest, a coordinating organization, and tried their test (as root): dig +short rs.dns-oarc.net txt
And see that where I work, we're not ready. Is anyone following this, and/or have a HOWTO on enabling it for CentOS?
mark (need to check this at home, too)
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Thank you for this warning. CentOS 5.4 does support this correctly, however I see that there are lots of ISPs out there with servers that do not. In an emergency you can point your systems at the free google dns, which appear not to support it, but according to the google technical staff they actually do as can be seen by the following query... http://code.google.com/speed/public-dns/
dig @8.8.8.8 +dnssec +short rs.dns-oarc.net txt rst.x1247.rs.dns-oarc.net. rst.x1257.x1247.rs.dns-oarc.net. rst.x1228.x1257.x1247.rs.dns-oarc.net. "74.125.154.94 DNS reply size limit is at least 1257" "74.125.154.94 sent EDNS buffer size 1280" "Tested at 2010-05-01 23:10:20 UTC"
Nataraj
Nataraj wrote:
m.roth@5-cent.us wrote:
Well, folks,
There's an article on slashdot, http://tech.slashdot.org/article.pl?sid=10/04/30/1258234
Excerpt: ...the coming milestone of May 5, at 17:00 UTC --- at this time DNSSEC will be rolled out across all 13 root servers. Some Internet users, especially those inside corporations and behind smaller ISPs, may experience intermittent problems. The reason is that some older networking equipment is pre-configured to block any reply to a DNS request that exceeds 512 bytes in size. DNSSEC replies are typically four times as large. --- end excerpt ---
I followed the link from the story to https://www.dns-oarc.net/oarc/services/replysizetest, a coordinating organization, and tried their test (as root): dig +short rs.dns-oarc.net txt
And see that where I work, we're not ready. Is anyone following this, and/or have a HOWTO on enabling it for CentOS?
mark (need to check this at home, too)
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Thank you for this warning. CentOS 5.4 does support this correctly, however I see that there are lots of ISPs out there with servers that do not. In an emergency you can point your systems at the free google dns, which appear not to support it, but according to the google technical staff they actually do as can be seen by the following query... http://code.google.com/speed/public-dns/
dig @8.8.8.8 +dnssec +short rs.dns-oarc.net txt rst.x1247.rs.dns-oarc.net. rst.x1257.x1247.rs.dns-oarc.net. rst.x1228.x1257.x1247.rs.dns-oarc.net. "74.125.154.94 DNS reply size limit is at least 1257" "74.125.154.94 sent EDNS buffer size 1280" "Tested at 2010-05-01 23:10:20 UTC"
Nataraj
CentOS mailing list192.168.10.131 CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
A further update on this... It appears that there are a number of DNS servers, particularly some of the caching servers run by ISP's which do not implement DNSSEC, but will still work after 5/5. So the published tests are not necessarily conclusive. Not that it is great that these implementation lack DNSSEC, though some of them are working on it. One example is powerdns.... See the following urls for statements regarding the ability of these servers to function after 5/5.
http://mailman.powerdns.com/pipermail/pdns-users/2010-March/006610.html http://mailman.powerdns.com/pipermail/pdns-users/2010-April/006674.html
Nataraj
-
Drew Weaver -
m.roth@5-cent.us -
Nataraj