dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
1878
daveinpoway
Premium Member
join:2006-07-03
Poway, CA

daveinpoway

Premium Member

Is AT&T ready for DNSSEC on May 5?

This is apparently a big thing, though not well publicized (I just found out about it today): »Testing your router for May 5 internet changes

It seems that not only routers, but ISP/third-party DNS servers are affected.

Are AT&T support people trained to help if customers call in in May 5 and say they can't get on-line?

CBLMorphis
join:2001-02-25
Riverside, CA

CBLMorphis

Member

I use VyprVPN, so is this going to affect both my router and my VPN?

I have to buy whole new equipment and I wont be able to use my VPN anymore?

I don't get it.
Madtown
Premium Member
join:2008-04-26
93637-2905

Madtown to daveinpoway

Premium Member

to daveinpoway
I have a 2wire 2701HG-B wireless router, I hope I'm not going to lose internet connection.

David
Premium Member
join:2002-05-30
Granite City, IL

David to daveinpoway

Premium Member

to daveinpoway
You guys should read the front page more often.

»Again, DNSSEC Updates Shouldn't Impact You [7] comments

our own DNS guy for anycast DNSguy See Profile stopped by to answer the questions for uverse.

My linksys was affected, but I updated it last night and now it forwards to AT&T's anycast which is handling it just fine.

CBLMorphis
join:2001-02-25
Riverside, CA

CBLMorphis

Member

Well I have a Linksys befsr41, it's old, so will it affect me?

David
Premium Member
join:2002-05-30
Granite City, IL

2 edits

David

Premium Member

said by CBLMorphis:

Well I have a Linksys befsr41, it's old, so will it affect me?
I couldn't tell you, I don't have one to test it with. I fixed mine with unchecking DNSmasq inside dd-wrt. most of my DNS queries will go right to the servers I am assuming.

As DNSguy stated yesterday:
said by DNSguy:

That Register article was nothing but a bunch of FUD.

The only thing that is changing on May 5th is that the root name servers will start replying with signed DNSSEC answers if and only if the downstream resolver ASKS for them.
If the downstream resolver does not ask, things will continue to work as they do today.

There is a second issue to this in that a lot of firewalls and home routers restrict a UDP DNS response to a 512 byte packet.

When you include DNSSEC information, most DNS responses will be larger that that. If the packet size is restricted, the query will be performed over TCP which has more overhead due to handshaking. This, in turn, could slow down your DNS resolution times.

Our corporate network would be affected, customers are on the production network are typically and as DNSguy stated... not affected.

If it makes you feel warm and fuzzy both at&t's anycast are ready for the DNSSEC should they come down to it.
Test results
for resolver: 68.94.157.1

Announced buffer size:
4096 bytes
Measured buffer size:
3839 bytes
EDNS enabled:
yes
DNSSEC enabled:
yes

Your resolver announced a buffer size bigger than the largest packet that it can receive.

Note: There will always be a difference between the announced and measured buffer size because of the algorithm used. However this difference should not exceed 300 bytes.

for resolver: 68.94.156.1

Announced buffer size:
4096 bytes
Measured buffer size:
3839 bytes
EDNS enabled:
yes
DNSSEC enabled:
yes

Your resolver announced a buffer size bigger than the largest packet that it can receive.
Note: There will always be a difference between the announced and measured buffer size because of the algorithm used. However this difference should not exceed 300 bytes.


nwrickert
Mod
join:2004-09-04
Geneva, IL

nwrickert to daveinpoway

Mod

to daveinpoway
The AT&T DNS servers are running the BIND software, which is DNSSEC capable.

My tests, in accordance with the tests in
»Testing your router for May 5 internet changes
indicate that they are doing just fine.

The changes on May 5 only affect communcation between the ISP servers and the root servers. They don't affect communication between you and the ISP servers.

Testing DNS lookups via my 2Wire RG (with u-verse) show that it also does fine. And things are fine with running my own local BIND dns server.

I am not seeing any reason for concern.

Note: If AT&T dns servers were not ready, that would not be a problem either. Their dns lookups would continue to work without DNSSEC.
Frohike7
Premium Member
join:2000-07-23
Waxahachie, TX

Frohike7 to daveinpoway

Premium Member

to daveinpoway
Just to reassure everyone - if you are using AT&T DNS servers, you will not see a difference.

However, if you are using 3rd party DNS servers, you are on your own.
daveinpoway
Premium Member
join:2006-07-03
Poway, CA

daveinpoway

Premium Member

Well, I am using OpenDNS and, so far at least, I can connect today (May 5).