 ScottMoOnce in a LifetimePremium,MVM
join:2000-12-15
Stony Brook, NY | That's not what El Reg said "While the vast majority of users are expected to endure the transition to DNSSEC smoothly, users behind badly designed or poorly configured firewalls, or those subscribing to dodgy ISPs could find themselves effectively disconnected."
Direct quote.
Nothing there to say the regular Joe Internet is going to lose service. The Register goes to further clarify:
Keith Mitchell, head of engineering at root server operator Internet Systems Consortium ... said he's also concerned about ISPs that rewrite DNS answers as they pass across their networks. Some ISPs do this to redirect their customers to cash-making search pages when they're trying to find a non-existent website. In China, ISPs use the same method to censor websites.
“They're doing a lot of fiddling along the way and it's by no means clear to me that the fiddling is aware of DNSSEC,” he said.
Valid point, no? |
|
Host:
Road Runner
PC gaming GAMES
PC gaming Tech
| said by you :
Nothing there to say the regular Joe Internet is going to lose service. said by The Register :
Will DNSSEC kill your internet?" said by The Register :
Internet users face the risk of losing their internet connections on 5 May when the domain name system switches over to a new, more secure protocol. He tries to downplay his own inflammatory title, but he's still making a bigger deal of this than even the experts quoted in his own story are. |
|
 Noah VailSon made my AvatarPremium
join:2004-12-10
Lorton, VA
kudos:1
 ·Bright House
 ·Sprint Mobile Br..
2 edits | said by Karl Bode:said by you :
Nothing there to say the regular Joe Internet is going to lose service. said by The Register :
Will DNSSEC kill your internet?" ]He tries to downplay his own inflammatory title, but he's still making a bigger deal of this than even the experts quoted in his own story are. Here's what isn't sorting out for me.
A DNS Resolver - directly downstream from the Root - has a 512 byte limit on it's upstream DNS communications.
and
All Root DNS Packets are suddenly larger than 512 bytes due to DNS certificates.
then
Doesn't that effectively kill all future Root DNS Updates for that DNS Resolver (until the limit is fixed)?
NV
edit:seperate 2 issues into 2 posts.
--
In my perfect religion, a giant hole appears and sucks up all the lousy people.
I call it the Crapture. |
|
|
|
 R4M0NBrazilian Soccer Ownz Joo
join:2000-10-04
Glen Allen, VA | reply to Karl Bode
A misleading title meant to get people to read the article itself?
SAY IT ANI'T SO!!!! |
|
Noah VailSon made my AvatarPremium
join:2004-12-10
Lorton, VA
kudos:1 Reviews:
·Bright House
·Sprint Mobile Br..
| reply to Karl Bode
If I understand correctly, only real issue here is that a few DNS servers might not be able to update from the Root Zone until they come into compliance with the current DNSSEC proticols.
I suppose an affected DNS resolver could get Root updates from a trusted peer instead, while the problem is addressed.
.
Like the Root Zone; most Tier 2 DNS Servers are diversified among several locations. I imagine a lot of DNS load could migrate to the servers that adhere to the current DNSSEC protocols, while non-compliant servers are upgraded.
There's also an RFC3383 protocol that addresses backward compatibility. It predates the current DNSSEC protocols but still seems to be in effect.
I'll see if/how it fits in here.
NV
--
In my perfect religion, a giant hole appears and sucks up all the lousy people.
I call it the Crapture. |
|
| reply to Noah Vail
No...
a: Such resolvers are likely to not ask for DNSSEC at all.
b: Even if they do, they will take a timeout and retry by TCP, which slows things down (by a couple of seconds), but otherwise the results still work. And for the root, queries hit the root so rarely that you're likely to never notice this timeout anyway. |
|
