[CentOS] DNSSEC

Sun May 2 23:13:22 UTC 2010
Nataraj <incoming-centos at rjl.com>

Nataraj wrote:
> m.roth at 5-cent.us wrote:
>   
>> Well, folks,
>>
>>    There's an article on slashdot,
>> <http://tech.slashdot.org/article.pl?sid=10/04/30/1258234>
>>
>> Excerpt:
>> ...the coming milestone of May 5, at 17:00 UTC --- at this time DNSSEC will
>> be rolled out across all 13 root servers. Some Internet users, especially
>> those inside corporations and behind smaller ISPs, may experience
>> intermittent problems. The reason is that some older networking equipment
>> is pre-configured to block any reply to a DNS request that exceeds 512
>> bytes in size. DNSSEC replies are typically four times as large.
>> --- end excerpt ---
>>
>> I followed the link from the story to
>> <https://www.dns-oarc.net/oarc/services/replysizetest>, a coordinating
>> organization, and tried their test (as root):
>>  dig +short rs.dns-oarc.net txt
>>
>> And see that where I work, we're not ready. Is anyone following this,
>> and/or have a HOWTO on enabling it for CentOS?
>>
>>          mark (need to check this at home, too)
>>
>> _______________________________________________
>> CentOS mailing list
>> CentOS at centos.org
>> http://lists.centos.org/mailman/listinfo/centos
>>   
>>     
> Thank you for this warning. CentOS 5.4 does support this correctly, 
> however I see that there are lots of ISPs out there with servers that do 
> not. In an emergency you can point your systems at the free google dns, 
> which appear not to support it, but according to the google technical 
> staff they actually do as can be seen by the following query...
> http://code.google.com/speed/public-dns/
>
> dig @8.8.8.8 +dnssec +short rs.dns-oarc.net txt
> rst.x1247.rs.dns-oarc.net.
> rst.x1257.x1247.rs.dns-oarc.net.
> rst.x1228.x1257.x1247.rs.dns-oarc.net.
> "74.125.154.94 DNS reply size limit is at least 1257"
> "74.125.154.94 sent EDNS buffer size 1280"
> "Tested at 2010-05-01 23:10:20 UTC"
>
>
> Nataraj
>
>
> _______________________________________________
> CentOS mailing list192.168.10.131 
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>   
A further update on this... It appears that there are a number of DNS 
servers, particularly some of the caching servers run by ISP's which do 
not implement DNSSEC,  but will still work after 5/5.  So the published 
tests are not necessarily conclusive.  Not that it is great that these 
implementation lack DNSSEC, though some of them are working on it.  One 
example is powerdns....  See the following urls for statements regarding 
the ability of these servers to function after 5/5.

http://mailman.powerdns.com/pipermail/pdns-users/2010-March/006610.html
http://mailman.powerdns.com/pipermail/pdns-users/2010-April/006674.html

Nataraj