DNSSED Deadline of May 5th 2010

40 views
Skip to first unread message

Dave Hodgins

unread,
Apr 14, 2010, 2:21:32 PM4/14/10
to public-dns-discuss
As per http://www.theregister.co.uk/2010/04/13/dnssec/
on May 5th, the root servers will start returning signed dns
replies.

The below tests indicate the the google public dns servers will start
failing, at that time.

Will the software be updated in time?

The first test shows a bind 9.6.1 server that does support EDNS.

]# dig +short rs.dns-oarc.net txt
rst.x3827.rs.dns-oarc.net.
rst.x3837.x3827.rs.dns-oarc.net.
rst.x3843.x3837.x3827.rs.dns-oarc.net.
"Tested at 2010-04-14 18:16:23 UTC"
"216.240.0.1 sent EDNS buffer size 4096"
"216.240.0.1 DNS reply size limit is at least 3843"

The following tests show the google public dns servers cannot
handle larger replies ...

# dig @8.8.8.8 +short rs.dns-oarc.net txt
rst.x476.rs.dns-oarc.net.
rst.x485.x476.rs.dns-oarc.net.
rst.x490.x485.x476.rs.dns-oarc.net.
"74.125.94.94 DNS reply size limit is at least 490"
"74.125.94.94 lacks EDNS, defaults to 512"
"Tested at 2010-04-14 18:16:34 UTC"

# dig @8.8.4.4 +short rs.dns-oarc.net txt
rst.x476.rs.dns-oarc.net.
rst.x485.x476.rs.dns-oarc.net.
rst.x490.x485.x476.rs.dns-oarc.net.
"74.125.94.94 DNS reply size limit is at least 490"
"74.125.94.94 lacks EDNS, defaults to 512"
"Tested at 2010-04-14 18:16:34 UTC"

Regards, Dave Hodgins

Alex Nizhner

unread,
Apr 14, 2010, 3:15:23 PM4/14/10
to public-dn...@googlegroups.com
As per http://www.theregister.co.uk/2010/04/13/dnssec/
on May 5th, the root servers will start returning signed dns
replies.

The below tests indicate the the google public dns servers will start
failing, at that time.


The signed root zone won't break Google Public DNS.  We do support EDNS0, but don't always advertise larger buffer sizes to authorities unless necessary (e.g., try the oarc test with +dnssec).

Alex

 
--
========================================================
You received this message because you are subscribed to the Google
Groups "public-dns-discuss" group.
To post to this group, send email to public-dn...@googlegroups.com
To unsubscribe from this group, send email to
public-dns-disc...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/public-dns-discuss?hl=en
For more information on Google Public DNS, please visit
http://code.google.com/speed/public-dns
========================================================

To unsubscribe, reply using "remove me" as the subject.

Dave Hodgins

unread,
Apr 14, 2010, 3:21:50 PM4/14/10
to public-dns-discuss

On Apr 14, 3:15 pm, Alex Nizhner <nizh...@google.com> wrote:
> The signed root zone won't break Google Public DNS.  We do support EDNS0,
> but don't always advertise larger buffer sizes to authorities unless
> necessary (e.g., try the oarc test with +dnssec).

Ok, thanks for the reply. Testing with +dnssec shows
# dig @8.8.8.8 +dnssec +short rs.dns-oarc.net txt
rst.x1247.rs.dns-oarc.net.
rst.x1257.x1247.rs.dns-oarc.net.
rst.x1228.x1257.x1247.rs.dns-oarc.net.
"74.125.94.94 DNS reply size limit is at least 1257"
"74.125.94.94 sent EDNS buffer size 1280"
"Tested at 2010-04-14 19:18:24 UTC"

Thanks for the info.

Reply all
Reply to author
Forward
0 new messages