On 3/05/10 10:25 PM, "Ray Van Dolson" <rvandol...@esri.com> wrote:
> David, I think you're exactly right. Lots of FUD, but, if I understand > correctly, BIND does by default does send out EDNS0 signalling by > default... EDNS0 does not imply DNSSEC. So you can get large responses back for lots of non DNSSEC queries. Having it enabled does not in anyway increase any risk on the 5/5. If you do not ask, you will not receive. So if today you do not have DNSSEC enabled; dnssec-enable and dnssec-validation (more recent BIND revisions), you will not receive the signed response, EDNS0 enabled or not. So these are your required checks: Do I have DNSSEC enabled? Yes - check your network as already discussed. No - Have a coffee, relax and consider enabling it by July, at least to test. > so it's still prudent to check your own firewall setups to > ensure you can handle the larger packet sizes. Yes, this will be useful in the future. But not required this week. > Worst case you see > delays if they do not. > -- Kal Feher _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users