dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1659
share rss forum feed

daveinpoway
Premium
join:2006-07-03
Poway, CA
kudos:2

Is AT&T ready for DNSSEC on May 5?

This is apparently a big thing, though not well publicized (I just found out about it today): »Testing your router for May 5 internet changes

It seems that not only routers, but ISP/third-party DNS servers are affected.

Are AT&T support people trained to help if customers call in in May 5 and say they can't get on-line?


CBLMorphis

join:2001-02-25
Riverside, CA
I use VyprVPN, so is this going to affect both my router and my VPN?

I have to buy whole new equipment and I wont be able to use my VPN anymore?

I don't get it.
--
Like My DSL!!!

Madtown
Premium
join:2008-04-26
Madera, CA
reply to daveinpoway
I have a 2wire 2701HG-B wireless router, I hope I'm not going to lose internet connection.


David
I start new work on
Premium,VIP
join:2002-05-30
Granite City, IL
kudos:101
Reviews:
·DIRECTV
·AT&T Midwest
·magicjack.com
·Google Voice
reply to daveinpoway
You guys should read the front page more often.

»Again, DNSSEC Updates Shouldn't Impact You

our own DNS guy for anycast DNSguy See Profile stopped by to answer the questions for uverse.

My linksys was affected, but I updated it last night and now it forwards to AT&T's anycast which is handling it just fine.
--
If you have a topic in the direct forum please reply to it or a post of mine, I get a notification when you do this.
Koetting Ford, Granite City, illinois... YOU'RE FIRED!!


CBLMorphis

join:2001-02-25
Riverside, CA
Well I have a Linksys befsr41, it's old, so will it affect me?
--
Like My DSL!!!


David
I start new work on
Premium,VIP
join:2002-05-30
Granite City, IL
kudos:101
Reviews:
·DIRECTV
·AT&T Midwest
·magicjack.com
·Google Voice

2 edits
said by CBLMorphis:

Well I have a Linksys befsr41, it's old, so will it affect me?
I couldn't tell you, I don't have one to test it with. I fixed mine with unchecking DNSmasq inside dd-wrt. most of my DNS queries will go right to the servers I am assuming.

As DNSguy stated yesterday:

said by DNSguy:

That Register article was nothing but a bunch of FUD.

The only thing that is changing on May 5th is that the root name servers will start replying with signed DNSSEC answers if and only if the downstream resolver ASKS for them.
If the downstream resolver does not ask, things will continue to work as they do today.

There is a second issue to this in that a lot of firewalls and home routers restrict a UDP DNS response to a 512 byte packet.

When you include DNSSEC information, most DNS responses will be larger that that. If the packet size is restricted, the query will be performed over TCP which has more overhead due to handshaking. This, in turn, could slow down your DNS resolution times.

Our corporate network would be affected, customers are on the production network are typically and as DNSguy stated... not affected.

If it makes you feel warm and fuzzy both at&t's anycast are ready for the DNSSEC should they come down to it.

Test results
for resolver: 68.94.157.1

Announced buffer size:
4096 bytes
Measured buffer size:
3839 bytes
EDNS enabled:
yes
DNSSEC enabled:
yes

Your resolver announced a buffer size bigger than the largest packet that it can receive.

Note: There will always be a difference between the announced and measured buffer size because of the algorithm used. However this difference should not exceed 300 bytes.

for resolver: 68.94.156.1

Announced buffer size:
4096 bytes
Measured buffer size:
3839 bytes
EDNS enabled:
yes
DNSSEC enabled:
yes

Your resolver announced a buffer size bigger than the largest packet that it can receive.
Note: There will always be a difference between the announced and measured buffer size because of the algorithm used. However this difference should not exceed 300 bytes.

--
If you have a topic in the direct forum please reply to it or a post of mine, I get a notification when you do this.
Koetting Ford, Granite City, illinois... YOU'RE FIRED!!


nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
kudos:7
Reviews:
·AT&T U-Verse
reply to daveinpoway
The AT&T DNS servers are running the BIND software, which is DNSSEC capable.

My tests, in accordance with the tests in
»Testing your router for May 5 internet changes
indicate that they are doing just fine.

The changes on May 5 only affect communcation between the ISP servers and the root servers. They don't affect communication between you and the ISP servers.

Testing DNS lookups via my 2Wire RG (with u-verse) show that it also does fine. And things are fine with running my own local BIND dns server.

I am not seeing any reason for concern.

Note: If AT&T dns servers were not ready, that would not be a problem either. Their dns lookups would continue to work without DNSSEC.
--
AT&T Uverse; Zyxel NBG334W router (behind the 2wire gateway); openSuSE 11.0; firefox 3.5.9

Frohike
Premium
join:2000-07-23
Waxahachie, TX
kudos:4
reply to daveinpoway
Just to reassure everyone - if you are using AT&T DNS servers, you will not see a difference.

However, if you are using 3rd party DNS servers, you are on your own.

daveinpoway
Premium
join:2006-07-03
Poway, CA
kudos:2
Well, I am using OpenDNS and, so far at least, I can connect today (May 5).