 Noah VailSon made my AvatarPremium
join:2004-12-10
Lorton, VA
kudos:1
 ·Bright House
 ·Sprint Mobile Br..
1 edit | reply to ctg1701a
Re: DNSSEC upgrade should be just fine said by ctg1701a:The fact that most DNS systems out on the Internet are neither doing DNSSEC validation, nor even EDNS0 (which deals with larger payload sizes for DNS packets)... Thanks Chris Griffiths Comcast Thanks Chris.
I understand DNS Systems are not performing the validation (likely just caching the certificates). But they still have to receive the DNS packets from the Root Servers.
If a DNS System (or routers serving it) is only compliant with the obsolete DNSSEC protocols, doesn't that mean it can no longer receive updates from the Root 13?
NV
.
Note: If I have everything right: the current DNSSEC is compliant with RFC4033-4035, 4376, 4398 and 4470.
The problem Routers/Firewalls/DNServers are those that only (and strictly) comply with the (now obselete) RFC 2535 & 2538.
.
--
In my perfect religion, a giant hole appears and sucks up all the lousy people.
I call it the Crapture. |
|
 ctg1701aVIP
join:2008-08-07
Philadelphia, PA | Thanks Chris.
I understand DNS Systems are not performing the validation (likely just caching the certificates). But they still have to receive the DNS packets from the Root Servers.
If a DNS System (or routers serving it) is only compliant with the obsolete DNSSEC protocols, doesn't that mean it can no longer receive updates from the Root 13?
NV
.
Note: If I have everything right: the current DNSSEC is compliant with RFC4033-4035, 4376, 4398 and 4470.
The problem Routers/Firewalls/DNServers are those that only (and strictly) comply with the (now obselete) RFC 2535 & 2538.
.
NV,
Unless a caching server is performing DNSSEC validation or requested by a stub resolver to do so, it will receive the same data from the root servers, or any other servers that may have signed zone data as it does today which should fit in the current UDP 512 byte size and will not contain the DNS signed data. The only reason you would receive and ultimately cache the larger sized UDP packets and signed data and certification data would be if the validation is turned on or requested.
Resolvers (within the last year or so - You should not be running code prior to the Kaminsky vulnerability »www.kb.cert.org/vuls/id/800113 now anyway) should still function just fine without DNSSEC validation turned on come May 5th as they do now.
Thanks
Chris Griffiths
Comcast |
|
Noah VailSon made my AvatarPremium
join:2004-12-10
Lorton, VA
kudos:1 Reviews:
·Bright House
·Sprint Mobile Br..
| said by ctg1701a:Unless a caching server is performing DNSSEC validation or requested by a stub resolver to do so, it will receive the same data from the root servers, or any other servers that may have signed zone data as it does today which should fit in the current UDP 512 byte size and will not contain the DNS signed data. The only reason you would receive and ultimately cache the larger sized UDP packets and signed data and certification data would be if the validation is turned on or requested. Thanks Chris Griffiths Comcast At last;
an answer that cuts through the noise
and actually addresses the point
that was originally raised by the hype-mongers.
GREATLY appreciated.
NV
--
In my perfect religion, a giant hole appears and sucks up all the lousy people.
I call it the Crapture. |
|
