US Telco Support > AT&T > AT&T U-verse > May 5th DNS changes, uVerse, and you

May 5th DNS changes, uVerse, and you

quote:

---

This scenario can cause problems for a resolver, because it expects to receive large responses, but they never make it through for a number of reasons. The most common causes are firewalls which block DNS packets bigger than 512 bytes, or fragmentation, which causes a large DNS packet to be broken up into smaller fragments which routers and/or firewalls don't know how to handle. We recommend that you configure your network, routers and firewalls to handle larger packets and/or fragments. If this isn't a viable option, you could consider lowering the announced buffer size in your resolver to match the actual size that it can receive. This will at least allow packets to get through, even if it causes truncation. Your resolver can then immediately fall back to TCP. See below on how to configure BIND and Unbound to set specific buffer sizes.

---

Ok, I'm totally lost. Other than a lot of Cinco de Mayo partying, what's happening on May 5?
--
AT&T U-Hearse
Your funeral. Delivered.

»www.theregister.co.uk/2010/04/13/dnssec/
--
Tom

reply to trparky
Please explain why I should care about this?
Seriously, not being a smart ass. I just have no idea what this means.

Edit: Oh okay.I read the article. Meh, I doubt it'll be a problem.

With the changes that are going to happen on the 5th of next month it could mean that a whole hell of a lot of people aren't going to be able to look-up domain names, especially people with older routers.
--
Tom

Sounds more like another year 2000 all computers will crash scare cause they can't handle the date. Any major DNS server will be up to date on this and most all users will not notice anything on May 5th.

Chris

The U-Verse RG handles EDNS queries just fine:

D:\dig-files3>dig @192.168.1.254 txt test.rs.ripe.net +short
rst.x3828.rs.ripe.net.
rst.x3833.x3828.rs.ripe.net.
rst.x3839.x3833.x3828.rs.ripe.net.
"151.164.11.208 DNS reply size limit is at least 3839 bytes"
"151.164.11.208 sent EDNS buffer size 4096"
"151.164.11.208 summary bs=4096,rs=3839,edns=1,do=1"
 
D:\dig-files3>
 

reply to trparky
Test results
for resolver: 192.168.99.1

Announced buffer size:
4096 bytes
Measured buffer size:
3839 bytes
EDNS enabled:
yes
DNSSEC enabled:
yes

We successfully received a response much larger than 512 bytes, so I'd say this means we're good to go.
--
AT&T U-Hearse
Your funeral. Delivered.

reply to trparky

reply to trparky
That Register article was nothing but a bunch of FUD.

The only thing that is changing on May 5th is that the root name servers will start replying with signed DNSSEC answers if and only if the downstream resolver ASKS for them.
If the downstream resolver does not ask, things will continue to work as they do today.

There is a second issue to this in that a lot of firewalls and home routers restrict a UDP DNS response to a 512 byte packet.

When you include DNSSEC information, most DNS responses will be larger that that. If the packet size is restricted, the query will be performed over TCP which has more overhead due to handshaking. This, in turn, could slow down your DNS resolution times.

The RG does not restrict the DNS UDP packet size, so this is not a problem with U-Verse.

SomeJoe already answered it up a few posts before dnsguy.

Chris