Will DNSSEC kill your internet?

5 May will sort the men from the boys
By Kevin Murphy

http://www.theregister.co.uk/2010/04/13/dnssec/

Internet users face the risk of losing their internet connections on 5 May when the domain name system switches over to a new, more secure protocol.

While the vast majority of users are expected to endure the transition to DNSSEC smoothly, users behind badly designed or poorly configured firewalls, or those subscribing to dodgy ISPs could find themselves effectively disconnected.

DNSSEC adds digital signatures to normal DNS queries, substantially reducing the risk of falling victim to man-in-the-middle attacks such as the Kaminsky exploit, which caused widespread panic in July 2008.

The standard is currently being rolled out cautiously to the internet's DNS root servers. In May, when all 13 roots are signed, anybody with an incompatible firewall or ISP will know about it, because they won't be able to find websites or send email.

Why? Here comes the science bit. Normal DNS traffic uses the UDP protocol, which is faster and less resource-hungry than TCP. Normal DNS UDP packets are also quite small, under 512 bytes.

Because of this, some pieces of network gear are configured out of the box to reject any UDP packet over 512 bytes on the basis that it's probably broken or malicious. Signed DNSSEC packets are quite a lot bigger that 512 bytes, and from 5 May all the DNS root servers will respond with signed DNSSEC answers.

snip

You can test whether your current DNS resolver is capable of handling DNSSEC, by following the instructions at DNS-OARC or running a Java app that can be downloaded from RIPE: http://labs.ripe.net/content/testing-your-resolver-dns-reply-size-issues.

Home users using residential hubs should not panic if these tests return scary results. According to Mitchell, it currently only matters that the ISP supports DNSSEC. A dodgy Netgear box is not enough to kill your internet... cross fingers.

In one configuration, "lacks EDNS, defaults to 512" alternates with messages like "sent EDNS buffer size 4096"

In another configuration, I wonder if OpenDNS may not support EDNS

Here's a useful link: http://www.dnssec.net/software

enabled? I ran the test and it says DNSSEC is not enabled.

Yes, we have seen that article - several other Simple DNS Plus users have asked about this.

Unfortunately the article is somewhat misleading.
There is NO threat to any users of older DNS servers, nor to users of DNS servers that do not have DNSSEC resolving configured and turned on.

The article claims that 'the domain name system switches over to a new, more secure protocol' (referring to DNSSEC).
DNSSEC is NOT a new protocol - it is just an extension to the existing DNS protocol.
There is no 'switch' - just a new feature being enabled - which is fully backwards compatible.

Yes, the Internet DNS root servers are now implementing DNSSEC hosting (returning signed DNS records).
But this has NO effect on clients and DNS servers unless DNSSEC is also enabled locally.
If your DNS servers don't specifically request DNSSEC signature records (by setting a 'DNSSEC OK' flag in the request), then DNSSEC data will not be returned.
In fact, unless DNSSEC signatures are specifically requested, data packets from the root server will look exactly as they always have.

The problem that this article refers to is that some older firewalls will drop DNS UDP packets larger than 512 bytes.
This is an old problem related to 'EDNS0' which is often seen for example on Cisco PIX routers/firewalls.

DNSSEC does use 'EDNS0' and DNS packets with DNSSEC do tend to be large and often +512 bytes.
But again, unless your DNS server supports DNSSEC resolving and has this configured and turned on, the root servers will NOT return DNSSEC data, and therefore return packets will NOT be larger than before.

The only situation in which this may potentially cause problems is if you have a DNS server which supports DNSSEC resolving and this is configured and turned on.
But then, if you have a firewall with this problem, you would likely have encountered a lot of DNS resolving problems already since many DNS servers out there already implement DNSSEC hosting (has been in Simple DNS Plus v. 5.2 since April 2009).

Sincerely,
Jesper
JH Software

http://forum.simpledns.com/default.aspx?g=posts&m=1091

:)

I was freaking out a bit. I wouldn't be a happy camper if I lost my Internet connection.