dslreports logo
site
spacer

spacer
 
   
spc
story category
No, DNSSEC Upgrades Won't Break The Internet Next Week
DNSSEC could ''kill your Internet' proclaims Register. Not so much, says expert.
by Karl Bode 09:05AM Thursday Apr 29 2010 Tipped by tmpchaos See Profile
Updated with comments from Comcast engineers and OpenDNS's CEO. "Internet users face the risk of losing their internet connections on 5 May when the domain name system switches over to a new, more secure protocol," proclaims the Register, which informs its readers that DNSSEC upgrades could "kill your internet." The article goes on to insist that "from 5 May all the DNS root servers will only respond with signed DNSSEC answers," then goes on to infer this could terminate connectivity for users completely. That certainly sounds scary. Would it make you feel any better to learn that most of that isn't true?

DNSSEC is new flavor of security that allows both sites and providers to validate domain names to make sure they're correct and not tampered with, and is supposed to help combat things like DNS cache "poisoning" and phishing scams. As we mentioned recently, Comcast hopes to have the upgrade installed by the end of 2011 ("if not sooner"), while OpenDNS has stated they'll be using an alternative to DNSSEC dubbed DNSCurve they claim is simpler and easier to deploy.

Upgrading to DNSSEC is a slow and measured affair that's only just really getting off the ground, and despite The Register's claims that the Internet may grind to a halt next Wednesday -- all 13 root servers upgraded with DNSSEC next week will behave normally to end users whether your ISP is fully prepared or not (and most certainly aren't). However there is a small problem that could slow the Internet down slightly for a very small portion of users, as "El Reg" explores:
quote:
Normal DNS traffic uses the UDP protocol, which is faster and less resource-hungry than TCP. Normal DNS UDP packets are also quite small, under 512 bytes. Because of this, some pieces of network gear are configured out of the box to reject any UDP packet over 512 bytes on the basis that it's probably broken or malicious. Signed DNSSEC packets are quite a lot bigger that 512 bytes, and from 5 May all the DNS root servers will respond with signed DNSSEC answers.
Kind of -- except for the fact that as we understand it -- root servers will only return signed DNSSEC answers to queries that have explicitly asked for them. In other words? The vast majority of Internet users won't notice a damn thing next week.

Keith Mitchell, head of engineering at root server operator Internet Systems Consortium, takes issue with the very Register article he's quoted in. "No-one is going to completely lose Internet service as a result of the signed root -- or indeed any DNSSEC deployment efforts -- and I certainly didn't say that," he says. "The worst that is going to happen is that a tiny minority of users behind mis-configured firewall or middleware boxes may experience some performance degradation when their clients have to attempt alternative paths for resolving names," says Mitchell of the May 5 upgrade.

Apparently, "Highly Technical Upgrade May Cause Very Small Problem" wasn't as hit-generating as claiming the world might end. Users interested in learning more about DNSSEC can head to our security forum where users are discussing the upgrade and how to test your ISP for DNSSEC preparedness and possible problems next week. Meanwhile, this 2008 report (pdf) examines which home networking gear could be impacted (most of which have already been updated to tackle the problem).

Update: Comcast's Chris Griffiths stops by our comments to add Comcast's thoughts on next week's changes and to reiterate the fact that this really isn't anything to worry about:
quote:
The folks who are working on getting the root signed have done a lot of detailed analysis and have taken great care not to impact any DNS services on the Internet. The fact that most DNS systems out on the Internet are neither doing DNSSEC validation, nor even EDNS0 (which deals with larger payload sizes for DNS packets) means there will most likely be no impact to end users on May 5th. As more domains get signed and DNS resolvers that people use (like the Comcast DNSSEC trial) begin doing validation and utilizing EDNS0, you may see more operational issues with end user systems. This is why we are currently testing out DNSSEC in a production trial and testing and providing feedback to our customers and the Internet community here: »www.dnssec.comcast.net.
Update 2:David Ulevitch, Founder & CEO of OpenDNS, also stopped by our comments to clarify that they actually will be supporting DNSSEC, though Ulevitch feels DNSEC "isn't the right answer":
quote:
Just a clarification... while we support and endorse DNSCurve, we will ultimately be supporting DNSSEC also. They aren't mutually exclusive. I think most vendors would agree DNSSEC isn't the right answer, but publicly there's just too much of a groundswell of support around it not to support it due to peer pressure in the DNS community.

view:
topics flat nest 

dellsweig
Extreme Aerobatics
Premium,MVM
join:2003-12-10
Campbell Hall, NY
kudos:1

Check your home routers compatibility

»download.nominet.org.uk/dnssec-c···port.pdf

Many vendors have released updates to both the bind daemons and DNSmasq.

It is possible many home routers are efected by this......
--
Nothin' left to do but smile smile smile

djrobx
Premium
join:2000-05-31
Valencia, CA
kudos:2

1 edit

Re: Check your home routers compatibility

I tried updating dnsmasq on my Debian Lenny box and it still isn't working. I'll try updating to unstable or building from source. What a pain.
--
AT&T U-Hearse
Your funeral. Delivered.
nweaver

join:2010-01-13
Napa, CA
Also, we include tests for this as part of Netalyzr ( »netalyzr.icsi.berkeley.edu )

For the client->internet connection, we check for the ability to directly receive DNS requests of various sizes with and without EDNS to see if there is something on the client's path which may cause problems (eg, no fragments allowed, no EDNS allowed, assumes that DNS = 512B).

For the resolver, we check thde actual MTU, the advertised MTU, whether it requests DNSSEC data, whether it can handle fragments, and whether it can properly fallback to TCP (all issues which affect DNSSEC)

ScottMo
Once in a Lifetime
Premium,MVM
join:2000-12-15
Stony Brook, NY

2 recommendations

That's not what El Reg said

"While the vast majority of users are expected to endure the transition to DNSSEC smoothly, users behind badly designed or poorly configured firewalls, or those subscribing to dodgy ISPs could find themselves effectively disconnected."

Direct quote.

Nothing there to say the regular Joe Internet is going to lose service. The Register goes to further clarify:

Keith Mitchell, head of engineering at root server operator Internet Systems Consortium ... said he's also concerned about ISPs that rewrite DNS answers as they pass across their networks. Some ISPs do this to redirect their customers to cash-making search pages when they're trying to find a non-existent website. In China, ISPs use the same method to censor websites.

“They're doing a lot of fiddling along the way and it's by no means clear to me that the fiddling is aware of DNSSEC,” he said.

Valid point, no?

Karl Bode
News Guy
join:2000-03-02
kudos:39

Re: That's not what El Reg said

said by you :

Nothing there to say the regular Joe Internet is going to lose service.
said by The Register :

Will DNSSEC kill your internet?"
said by The Register :

Internet users face the risk of losing their internet connections on 5 May when the domain name system switches over to a new, more secure protocol.
He tries to downplay his own inflammatory title, but he's still making a bigger deal of this than even the experts quoted in his own story are.

Noah Vail
Son made my Avatar
Premium
join:2004-12-10
Lorton, VA
kudos:3
Reviews:
·Bright House

2 edits

Re: That's not what El Reg said

said by Karl Bode:

said by you :

Nothing there to say the regular Joe Internet is going to lose service.
said by The Register :

Will DNSSEC kill your internet?"
]He tries to downplay his own inflammatory title, but he's still making a bigger deal of this than even the experts quoted in his own story are.
Here's what isn't sorting out for me.

A DNS Resolver - directly downstream from the Root - has a 512 byte limit on it's upstream DNS communications.

and

All Root DNS Packets are suddenly larger than 512 bytes due to DNS certificates.

then

Doesn't that effectively kill all future Root DNS Updates for that DNS Resolver (until the limit is fixed)?

NV

edit:seperate 2 issues into 2 posts.
--
In my perfect religion, a giant hole appears and sucks up all the lousy people.
I call it the Crapture.
nweaver

join:2010-01-13
Napa, CA

Re: That's not what El Reg said

No...

a: Such resolvers are likely to not ask for DNSSEC at all.

b: Even if they do, they will take a timeout and retry by TCP, which slows things down (by a couple of seconds), but otherwise the results still work. And for the root, queries hit the root so rarely that you're likely to never notice this timeout anyway.

R4M0N
Brazilian Soccer Ownz Joo

join:2000-10-04
Glen Allen, VA
A misleading title meant to get people to read the article itself?

SAY IT ANI'T SO!!!!

Noah Vail
Son made my Avatar
Premium
join:2004-12-10
Lorton, VA
kudos:3
Reviews:
·Bright House
If I understand correctly, only real issue here is that a few DNS servers might not be able to update from the Root Zone until they come into compliance with the current DNSSEC proticols.

I suppose an affected DNS resolver could get Root updates from a trusted peer instead, while the problem is addressed.

.
Like the Root Zone; most Tier 2 DNS Servers are diversified among several locations. I imagine a lot of DNS load could migrate to the servers that adhere to the current DNSSEC protocols, while non-compliant servers are upgraded.

There's also an RFC3383 protocol that addresses backward compatibility. It predates the current DNSSEC protocols but still seems to be in effect.

I'll see if/how it fits in here.

NV
--
In my perfect religion, a giant hole appears and sucks up all the lousy people.
I call it the Crapture.
neftv

join:2000-10-01
Broomall, PA

Why not use this security feature....

...Since it "helps combat things like DNS cache "poisoning" and phishing scams".
If its good for the root servers why shouldn't it be good for the rest of the DNS servers?
I see it as a broken feature if the internet offers and not Verizon Fios for example. It seems that Comcast is on the way to having it.
jus10

join:2009-08-04
Sterling, VA

I've been using it for a while

Comcast has had their DNSSEC trial going for some time and they fixed the last issue I was having on April 22nd so it seems to work fine now.

It's pretty much transparent to me.

»www.dnssec.comcast.net/

ctg1701a
VIP
join:2008-08-07
Media, PA

DNSSEC upgrade should be just fine

The folks who are working on getting the root signed have done a lot of detailed analysis and have taken great care not to impact any DNS services on the Internet. The fact that most DNS systems out on the Internet are neither doing DNSSEC validation, nor even EDNS0 (which deals with larger payload sizes for DNS packets) means there will most likely be no impact to end users on May 5th. As more domains get signed and DNS resolvers that people use (like the Comcast DNSSEC trial) begin doing validation and utilizing EDNS0, you may see more operational issues with end user systems. This is why we are currently testing out DNSSEC in a production trial and testing and providing feedback to our customers and the Internet community here: »www.dnssec.comcast.net.

Thanks

Chris Griffiths
Comcast

Noah Vail
Son made my Avatar
Premium
join:2004-12-10
Lorton, VA
kudos:3
Reviews:
·Bright House

1 edit

Re: DNSSEC upgrade should be just fine

said by ctg1701a:

The fact that most DNS systems out on the Internet are neither doing DNSSEC validation, nor even EDNS0 (which deals with larger payload sizes for DNS packets)...
Thanks

Chris Griffiths
Comcast
Thanks Chris.

I understand DNS Systems are not performing the validation (likely just caching the certificates). But they still have to receive the DNS packets from the Root Servers.

If a DNS System (or routers serving it) is only compliant with the obsolete DNSSEC protocols, doesn't that mean it can no longer receive updates from the Root 13?

NV
.
Note: If I have everything right: the current DNSSEC is compliant with RFC4033-4035, 4376, 4398 and 4470.
The problem Routers/Firewalls/DNServers are those that only (and strictly) comply with the (now obselete) RFC 2535 & 2538.

.
--
In my perfect religion, a giant hole appears and sucks up all the lousy people.
I call it the Crapture.

ctg1701a
VIP
join:2008-08-07
Media, PA

Re: DNSSEC upgrade should be just fine

Thanks Chris.

I understand DNS Systems are not performing the validation (likely just caching the certificates). But they still have to receive the DNS packets from the Root Servers.

If a DNS System (or routers serving it) is only compliant with the obsolete DNSSEC protocols, doesn't that mean it can no longer receive updates from the Root 13?

NV
.
Note: If I have everything right: the current DNSSEC is compliant with RFC4033-4035, 4376, 4398 and 4470.
The problem Routers/Firewalls/DNServers are those that only (and strictly) comply with the (now obselete) RFC 2535 & 2538.

.
NV,

Unless a caching server is performing DNSSEC validation or requested by a stub resolver to do so, it will receive the same data from the root servers, or any other servers that may have signed zone data as it does today which should fit in the current UDP 512 byte size and will not contain the DNS signed data. The only reason you would receive and ultimately cache the larger sized UDP packets and signed data and certification data would be if the validation is turned on or requested.

Resolvers (within the last year or so - You should not be running code prior to the Kaminsky vulnerability »www.kb.cert.org/vuls/id/800113 now anyway) should still function just fine without DNSSEC validation turned on come May 5th as they do now.

Thanks

Chris Griffiths
Comcast

Noah Vail
Son made my Avatar
Premium
join:2004-12-10
Lorton, VA
kudos:3
Reviews:
·Bright House

Re: DNSSEC upgrade should be just fine

said by ctg1701a:

Unless a caching server is performing DNSSEC validation or requested by a stub resolver to do so, it will receive the same data from the root servers, or any other servers that may have signed zone data as it does today which should fit in the current UDP 512 byte size and will not contain the DNS signed data. The only reason you would receive and ultimately cache the larger sized UDP packets and signed data and certification data would be if the validation is turned on or requested.

Thanks

Chris Griffiths
Comcast
At last;
an answer that cuts through the noise
and actually addresses the point
that was originally raised by the hype-mongers.

GREATLY appreciated.

NV
--
In my perfect religion, a giant hole appears and sucks up all the lousy people.
I call it the Crapture.

davidu

join:2006-12-28
San Francisco, CA

Update from OpenDNS

Just a clarification... while we support and endorse DNSCurve, we will ultimately be supporting DNSSEC also. They aren't mutually exclusive.

I think most vendors would agree DNSSEC isn't the right answer, but publicly there's just too much of a groundswell of support around it not to support it due to peer pressure in the DNS community.

Noah Vail
Son made my Avatar
Premium
join:2004-12-10
Lorton, VA
kudos:3
Reviews:
·Bright House

1 edit

Re: Update from OpenDNS

said by davidu:

Just a clarification... while we support and endorse DNSCurve, we will ultimately be supporting DNSSEC also. They aren't mutually exclusive.
That answers questions in the other thread. Appreciated.

My question:
Does the DNS Client (User DNS Server, Router, etc) need to have DNSCurve support built into it, in order to take advantage of it?

Again, thanks for the update.

NV
--
In my perfect religion, a giant hole appears and sucks up all the lousy people.
I call it the Crapture.

davidu

join:2006-12-28
San Francisco, CA

Re: Update from OpenDNS

said by Noah Vail:

My question:
Does the DNS Client (User DNS Server, Router, etc) need to have DNSCurve support built into it, in order to take advantage of it?
Yes and no. Our support of it is really the most important part, between us and authoritative servers. We are, however, working on extending that security all the way to the client, so down the road, there may be optional changes you can make to improve the integrity of your DNS responses between us and you.

ARGONAUT
Have a nice day.
Premium
join:2006-01-24
New Albany, IN
kudos:1
Will this new protocol catch OpenDNS redirects now?

davidu

join:2006-12-28
San Francisco, CA

Re: Update from OpenDNS

said by ARGONAUT:

Will this new protocol catch OpenDNS redirects now?
That's tangential. Just as things are today, you can disable NXDOMAIN redirection with any version of our service. Reach out to me or (better) contact support if you need assistance.

Metatron2008
Premium
join:2008-09-02
united state

So is this y2k?

Or the exaflood?

Dude111
An Awesome Dude
Premium
join:2003-08-04
USA
kudos:12

 

I hope everything is gonna be OK!!!

David
I start new work on
Premium,VIP
join:2002-05-30
Granite City, IL
kudos:101
Reviews:
·DIRECTV
·AT&T Midwest
·magicjack.com
·Google Voice

3 edits

I tested this a bit last night at the house= My results

I tested the first time with DNSmasq enabled for DNS on DD-WRT. I could only test my base IP 172.16.0.1. After disabling DNSmasq for DNS I got all the IPs to test. I noticed my DNS picked up quite a bit quicker in response as well.

After I updated to the 11/11/2009 build 13064 stable, it recognized AT&T's anycast DNS of 68.94.156.1, googles 8.8.8.8 and OpenDNS's address (I keep 3 different ones on the linky).

1.) AT&T Anycast 68.94.156.1= Pass was like 3839/4096 (which the .jar file ran told me it wasn't anything to worry about if it was within 300kb of the 4096 which it was.

2.) google's 8.8.8.8= This one didn't accept anything above the 512kb

3.). OpenDNS 208.67.222.222= This one didn't accept anything greater than 512kb.

4.) 68.94.157.1= this one reported the same results as 156.1 did above.

I did confirm that AT&T's anycast 156.1 did accept them though. I also saw a post in the Uverse forum where a few people tested it also and DNSSEC did respond appropriately for them as well.

DNSguy See Profile also commented on the Uverse RG and this issue.

»May 5th DNS changes, uVerse, and you

--
If you have a topic in the direct forum please reply to it or a post of mine, I get a notification when you do this.
Koetting Ford, Granite City, illinois... YOU'RE FIRED!!
nweaver

join:2010-01-13
Napa, CA

Re: I tested this a bit last night at the house= My results

The jar based test is somewhat misleading.

The problem occurs only when the resolver ADVERTISES that it wants DNSSEC replies, AND advertises a reply size larger than it can actually handle, the .jar test doesn't make this distinction.

Thus, eg, both Google Public DNS and OpenDNS don't advertise requests for DNSSEC replies and (at least when Google Public DNS does), are able to receive replies equal to the advertised reply size, so they are actually completely unaffected.

Agent Smith

join:2008-07-07
New York

Really

Zomg 2012 is here ..

ctceo
Premium
join:2001-04-26
South Bend, IN

Not Now

I'm already having phantom problems with the internet as it is and there are no qualified exorcists in the region either.

Hell No, I won't go.