I fear I've missed something important. My Network admin is saying his understanding is we MUST make changes for this 5/5 change on the root servers. I was under the impression that until we decide to implement DNSSEC ourselves we don't need to do anything on our end to continue resolving.
We already allow for udp 512 and tcp for DNS. It sounds as if he read an article saying we have to implement DNSSEC on our DNS servers or we'll quit working on 5/5? Is that the case? Also what is the drop dead date/time if so? 5/5 Midnight UTC? Some other time? -----Original Message----- From: bind-users-bounces+jlightner=water....@lists.isc.org [mailto:bind-users-bounces+jlightner=water....@lists.isc.org] On Behalf Of Kalman Feher Sent: Monday, May 03, 2010 9:38 AM To: BIND users Subject: Re: Preparing for upcoming DNSSEC changes on 5/5 On 1/05/10 7:10 PM, "Server Administrator" <server53a...@gmail.com> wrote: > I tried OARC's DNS Reply Size Test on two of my name servers, both on > the same network, behind the same firewall & router. > > Both came back and reported "DNS reply size limit is at least 3843" > (results below). > > Is 3843 close enough to 4096 to keep me safe next Wednesday (May 5th)? > If not, do the required remedies need to be applied in named.conf, or > the router & firewall? And if the latter, what, specifically, needs > to be configured? > It really depends on what those remedies are... First, consider the fact that a low UDP response will result in a TCP attempt occasionally (when the response is greater that your effective limit). So you should ensure that you can resolve queries using TCP. On the occasions when TCP is not possible, it is regularly caused by intervening network devices. So check firewalls and routers for filters that do not allow DNS over TCP. Also check for devices that inspect DNS queries. They can have some out of date assumptions regarding sizes. Second, make sure the tested effective size appears in your named.conf in the options statement "edns-udp-size" on your resolver. In your case: edns-udp-size 3843; Finally, note that UDP is preferable for DNS so ensuring the largest possible size will reduce the occurrence of TCP. Take a look at your firewall settings for connection timeouts and consider what would happen if all the short lived DNS UDP connections were suddenly replaced by longer lived TCP connections. > Other than OARC's page are there any sites that describe everything > that needs to be done and checked to make sure we're good to go on > 5/5? > It appears you are good to go. -- Kal Feher _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Proud partner. Susan G. Komen for the Cure. Please consider our environment before printing this e-mail or attachments. ---------------------------------- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. ---------------------------------- _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
