My understanding of the issue is that normal DNS traffic uses small DNS UDP packets, less than 512 bytes. Because of this, some pieces of firewalls or DNS servers are configured to reject UDP packets larger than 512 bytes, figuring that it's broken or malicious. Signed DNSSEC packets are much larger, than 512 bytes, potentially as large as 4K. Sensational claims in the Register notwithstanding (http://www.theregister.co.uk/2010/04/13/dnssec), my understanding is that the root servers will only return the longer DNSSEC responses when they are requested, otherwise there will be no change.
There is a test at https://www.dns-oarc.net/oarc/services/replysizetest you can run to see if your network server can handle the larger packets. Interestingly, although I've heard that OpenDNS will support DNSSEC, when I run the test from here (we use OpenDNS), the response comes back that their DNS server has limited the packet size to 512 bytes. I guess they don't have it in place yet. ...Tim -----Original Message----- From: Ziots, Edward [mailto:ezi...@lifespan.org] Sent: Monday, May 03, 2010 5:40 AM To: NT System Admin Issues Subject: DNSSEC and the root Domain Name Servers Changeover May 5th Folks, I have been getting some questions about the issues surrounding the changing of the root DNS servers implementing DNSSEC as of MAY 5th, and how this might affect the zone transfers, and DNS in general for organizations that aren’t implementing DNSSEC yet, or don’t have DNSSEC compliant DNS Servers ( Bind/Windows etc etc). From what I am reading non DNSSEC aware DNS servers will get the DNS responses in the older non-compliant format. So this will work for resolvers ( say Windows XP and below) but what about organizations/business that are hosting there zones accordingly, do they need to be upgraded to DNSSEC just to participate in the DNS hierarchy or not? I was under the assumption this is really going to affect the TLD’s more and the ISP’s, but I defintely wrong about that. Like to hear everyones ideas about this, reading some stuff, and not all the info is telling me the same things. Z Edward Ziots CISSP,MCSA,MCP+I,Security +,Network +,CCA Network Engineer Lifespan Organization 401-639-3505 ezi...@lifespan.org ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~