DNSSEC support?

[stefan]

Do you intend to support DNSSEC before the test deployment on Thursday?

I'm unable to determine whether this 512 byte limit is coming from a network level issue, or both of our VPS (CentOS 5 & Debian 5).

I'm no DNSSEC expert, but it appears the following test determined that there is no EDNS support somewhere up the DNS tree, and is unable to cope with the >512 byte headers used by DNSSEC.

Quote:

stefan@crucial:~$ dig +short rs.dns-oarc.net txt
rst.x476.rs.dns-oarc.net.
rst.x485.x476.rs.dns-oarc.net.
rst.x490.x485.x476.rs.dns-oarc.net.
"111.118.160.2 DNS reply size limit is at least 490"
"111.118.160.2 lacks EDNS, defaults to 512"
"Tested at 2010-05-02 06:09:09 UTC"
stefan@crucial:~$ cat /etc/resolv.conf
nameserver 111.118.160.2
nameserver 203.98.91.216
stefan@crucial:~$ dig +short rs.dns-oarc.net @111.118.160.2 txt
rst.x476.rs.dns-oarc.net.
rst.x485.x476.rs.dns-oarc.net.
rst.x490.x485.x476.rs.dns-oarc.net.
"111.118.160.2 DNS reply size limit is at least 490"
"111.118.160.2 lacks EDNS, defaults to 512"
"Tested at 2010-05-02 06:09:09 UTC"
stefan@crucial:~$ dig +short rs.dns-oarc.net @203.98.91.216 txt
rst.x476.rs.dns-oarc.net.
rst.x485.x476.rs.dns-oarc.net.
rst.x490.x485.x476.rs.dns-oarc.net.
"203.98.91.216 DNS reply size limit is at least 490"
"203.98.91.216 lacks EDNS, defaults to 512"
"Tested at 2010-05-02 06:09:26 UTC"
stefan@crucial:~$

Whereas at home

Quote:

stefan@home:~$ dig +short rs.dns-oarc.net txt
rst.x4091.rs.dns-oarc.net.
rst.x4049.x4091.rs.dns-oarc.net.
rst.x4055.x4049.x4091.rs.dns-oarc.net.
"2001:44b8:8060:ff00::80 sent EDNS buffer size 4096"
"Tested at 2010-05-02 06:12:05 UTC"
"2001:44b8:8060:ff00::80 DNS reply size limit is at least 4091"
stefan@home:~$ dig +short rs.dns-oarc.net @resolv.internode.on.net txt
rst.x3827.rs.dns-oarc.net.
rst.x4049.x3827.rs.dns-oarc.net.
rst.x4055.x4049.x3827.rs.dns-oarc.net.
"2001:44b8:8020:ff00::84 sent EDNS buffer size 4096"
"2001:44b8:8020:ff00::84 DNS reply size limit is at least 4055"
"Tested at 2010-05-02 06:12:16 UTC"
stefan@home:~$

[Aaron]

Hi Stefan,

Thanks for pointing this out, we are currently aware of this and we are making provisions to fix this before Thursday

Quote:

Originally Posted by stefan

Do you intend to support DNSSEC before the test deployment on Thursday?

I'm unable to determine whether this 512 byte limit is coming from a network level issue, or both of our VPS (CentOS 5 & Debian 5).

I'm no DNSSEC expert, but it appears the following test determined that there is no EDNS support somewhere up the DNS tree, and is unable to cope with the >512 byte headers used by DNSSEC.



Whereas at home

[stefan]

Quote:

Originally Posted by Aaron

Hi Stefan,

Thanks for pointing this out, we are currently aware of this and we are making provisions to fix this before Thursday

Thanks for the quick response Aaron, let's hope it gets done in time and nobody sees any outages

[Aaron]

Hi Stefan,

No worries!

From what I have gathered regarding this issue, it would appear it would not actually result in an outage if DNSSEC is not working. Rather any queries in regards to DNSSEC would have issues. Nonetheless, we are working to get this resolved ASAP and will make every effort to have this working before Thursday.

Quote:

Originally Posted by stefan

Thanks for the quick response Aaron, let's hope it gets done in time and nobody sees any outages

[Aaron]

Hi Stefan,

We are replaced our resolvers with new software, and the new resolvers should fully support DNSSEC (we switched from djbdns to powerdns recursor).

Can you please check and confirm?

[stefan]

All good here the root zone is probably already signed now too

Quote:

stefan@crucial:~$ dig +short rs.dns-oarc.net txt
rst.x1177.rs.dns-oarc.net.
rst.x1152.x1177.rs.dns-oarc.net.
rst.x1158.x1152.x1177.rs.dns-oarc.net.
"111.118.160.2 sent EDNS buffer size 1200"
"111.118.160.2 DNS reply size limit is at least 1177"
"Tested at 2010-05-05 22:35:26 UTC"
stefan@crucial:~$

Though, I wonder if 1200 is big enough when other providers are reporting in excess of 4k? I thought some signatures were expected to be up to 2k, but I may be wrong, and it could just be a pdns quirk

[Aaron]

Quote:

Originally Posted by stefan

All good here the root zone is probably already signed now too


Though, I wonder if 1200 is big enough when other providers are reporting in excess of 4k? I thought some signatures were expected to be up to 2k, but I may be wrong, and it could just be a pdns quirk

I don't think its something to worry about, I would say that most other providers are probably using bind which may have a higher buffer. From our testing it appears to be working correctly. If you do notice any issues, please be sure to let us know.

[Aaron]

Just a quick update regarding this DNSSEC and EDNS support. We have removed EDNS support from our servers as there are a large number of servers which do not seem to be replying to EDNS requests and as a result we were getting name resolution failure. Instead of using EDNS clients will fallback on using DNS on TCP on port 53, which is fully supported by our resolvers.

For example we had a number of customers who were not able to resolve the www .eway .com .au (payments processing company) due to name servers higher up not support EDNS requests.