DNSSEC May Cause Problems On May 5

← Back to Stories (view on slashdot.org)

DNSSEC May Cause Problems On May 5

Posted by kdawson on Friday April 30, 2010 @01:37AM from the packets-available-but-not-to-you dept.

An anonymous reader notes the coming milestone of May 5, at 17:00 UTC — at this time DNSSEC will be rolled out across all 13 root servers. Some Internet users, especially those inside corporations and behind smaller ISPs, may experience intermittent problems. The reason is that some older networking equipment is preconfigured to block any reply to a DNS request that exceeds 512 bytes in size. DNSSEC replies are typically four times as large. "DNSSEC is in fact already rolled out across most of the world's 13 root servers. ... But to date ... it would only have resulted in a slight lag in the loading of a web page for those with outdated network equipment. The beauty of DNS is that should a request made to one root server not receive a response, the DNS resolver on a user's machine simply makes the same request along the line of the 13 root servers until it gets a satisfactory response. But on May 5, once all 13 root servers are live with the DNSSEC signatures, responses from all 13 root servers won't make it back inside the corporate LAN on some older systems. ... The problem may take several days to surface and be inconsistent from one user's PC to the next. A user at one machine who hasn't switched on his PC for two or three days will have no access to the Internet. A user who left his machine on the night before will have some pages — and responses from DNS servers — cached on his machine, and will still have connectivity." The article links a test site you can use ahead of time to check for any problems.

33 of 132 comments (clear)

Min score:

Reason:

Sort:

Jeez, And the day after by coniferous · 2010-04-30 01:40 · Score: 3, Funny

And the day after star wars day too... We are going to have some seriously bipolar geeks by the time this is all done.
Be happy by Anonymous Coward · 2010-04-30 01:42 · Score: 2, Funny

Now you will have an excuse to replace all that crappy old networking equipment "because it does not work with the new secure internet".
1. Re:Be happy by WrongSizeGlass · 2010-04-30 01:53 · Score: 2, Funny
  
  Now you will have an excuse to replace all that crappy old networking equipment "because it does not work with the new secure internet".
  I still support 7-bit ASCII, you insensitive clod!
2. Re:Be happy by OzPeter · 2010-04-30 01:57 · Score: 2, Funny
  
  Now you will have an excuse to replace all that crappy old networking equipment "because it does not work with the new secure internet".
  I still support 7-bit ASCII, you insensitive clod!
  7 bit ASCII?!??!?! Geez .. get off my lawn .. its Baudot or nothing!!
  
  --
  I am Slashdot. Are you Slashdot as well?
3. Re:Be happy by OzPeter · 2010-04-30 02:14 · Score: 4, Funny
  
  You have Baudot?
  You lucky bastard, all I've got is ones and zeroes.
  Um .. Baudot *is* ones and zeroes.
  
  --
  I am Slashdot. Are you Slashdot as well?
4. Re:Be happy by Anonymous Coward · 2010-04-30 02:15 · Score: 2, Funny
  
  You have ones? You lucky bastard, all I've got is a zero! Yes, only one!
5. Re:Be happy by Sir_Lewk · 2010-04-30 03:29 · Score: 3, Informative
  
  To use a car analogy, what the GP did was like someone saying "I have a red convertible." Well no duh it's red, that's the only colour they make convertibles! Don't even try to say that non-red cars can be convertibles, everyone knows that all true convertibles are red. There is nothing particularly wrong with pointing out that his convertible is red though, it's just more descriptive for people 'not in the know'.
  
  --
  "linux is just DOS with a UNIX like syntax" -- Galactic Dominator (944134)
Already, the test nameserver... by Crackez · 2010-04-30 01:50 · Score: 4, Informative

is slashdotted.
So what do I do? by OzPeter · 2010-04-30 01:51 · Score: 4, Interesting

I ran the command on the test page and the results are
>>dig +short rs.dns-oarc.net txt
rst.x476.rs.dns-oarc.net.
rst.x485.x476.rs.dns-oarc.net.
rst.x490.x485.x476.rs.dns-oarc.net.
"68.87.73.244 DNS reply size limit is at least 490"
"68.87.73.244 lacks EDNS, defaults to 512"
"Tested at 2010-04-30 13:42:26 UTC"

According to the test page this seems to mean that Comcast doesn't support EDSL (at the moment). So the big question is:
What can I do - aside from praying that Comcast will get their shit together by next week?

--
I am Slashdot. Are you Slashdot as well?
1. Re:So what do I do? by Anonymous Coward · 2010-04-30 01:56 · Score: 5, Informative
  
  Read Chris Griffin's of Comcast's response in the DSLReports thread on this topic: http://www.dslreports.com/shownews/No-DNSSEC-Upgrades-Wont-Break-The-Internet-Next-Week-108154
  In short, they don't expect anything to happen on May 5. If you like, and are on Comcast, you can also join the DNSSec trial (I use it at home) by changing to the DNSSec test servers.
2. Re:So what do I do? by atomic-penguin · 2010-04-30 02:06 · Score: 3, Informative
  
  While Microsoft did included an nslookup command with Windows, it is quite basic compared to the dig utility. Go download dig for Win32.
  
  --
  /^([Ss]ame [Bb]at (time, |channel.)){2}$/
3. Re:So what do I do? by Joehonkie · 2010-04-30 02:14 · Score: 2, Informative
  
  OpenDNS fails this, too. Hopefully they will be quick on fixing it.
4. Re:So what do I do? by The+MAZZTer · 2010-04-30 02:47 · Score: 2, Informative
  
  FYI for cygwin users: dig is part of cygwin so get it from the "bind" cygwin package.
5. Re:So what do I do? by Anonymous Coward · 2010-04-30 03:37 · Score: 2, Insightful
  
  And according to DSLReports this bogus story started with The Register. Can we please get that tabloid to cover two headed babies and alien abductions instead of IT? It's some of the most irresponsible journalism I've seen since Dvorak's heyday.
6. Re:So what do I do? by Fnord666 · 2010-04-30 04:31 · Score: 3, Funny
  
  I ran the command on the test page and the results are
  
  C:\Documents and Settings\root\Desktop>dig +short rs.dns-oarc.net txt
  'dig' is not recognized as an internal or external command,
  operable program or batch file.
  
  What does that mean?
  
  --
  'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
Upgrade or die by K2tech · 2010-04-30 01:52 · Score: 4, Interesting

This should force any and all companies or ISPs to upgrade (read MAINTAIN) their systems. Too many organizations install systems and them let them rot expecting them to run forever without so much as a thought or care for maintenance. This problem extends to the point that some companies have a system so long and have no documentation on it, that when there is a problem, they have NO knowledge of the system. I'm glad we are finally implementing some form of security DNS. Let this expose the any problems or issues smaller companies/ISPs have. It will force them to actually do something about it. Hopefully that in turn will make them look at other systems/processes within their organization.
Odd results? by Aladrin · 2010-04-30 02:05 · Score: 3, Interesting

At work, using my ISP's DNS, I'm getting a timeout.
At home, using Google's DNS, I'm getting a blank string back.
Those 2 aren't even covered by the linked page. Any idea what they mean?

--
"If you make people think they're thinking, they'll love you; But if you really make them think, they'll hate you." - DM
DNS server slashdotted by fialar · 2010-04-30 02:06 · Score: 2, Informative

dig +short rs.dns-oarc.net txt now returns absolutely nothing.. on IPv4. The IPv6 one still works.
1. Re:DNS server slashdotted by marcansoft · 2010-04-30 02:38 · Score: 2, Informative
  
  The IPv6 one is dead now too. A +trace run ends here:
  
  rs.dns-oarc.net. 3600 IN NS ns00.rs.dns-oarc.net.
  ns00.rs.dns-oarc.net. 3600 IN A 149.20.58.133
  ns00.rs.dns-oarc.net. 3600 IN AAAA 2001:4f8:3:2bc:2::133 ;; Received 96 bytes from 2001:500:2e::1#53(sns-pb.isc.org) in 128 ms
  Both the v4 and v6 IP for ns00.rs.dns-oarc.net. are dead, so the whole thing just dies after that.
Re:No linux or unix.. by d1r3lnd · 2010-04-30 02:09 · Score: 2, Informative

Get dig for windows: http://members.shaw.ca/nicholas.fong/dig/
What about djbdns? by mukund · 2010-04-30 02:11 · Score: 3, Insightful

This is with a stock dnscache from djbdns-1.05:
[muks@misha ~]$ dig +short rs.dns-oarc.net txt
rst.x476.rs.dns-oarc.net.
rst.x485.x476.rs.dns-oarc.net.
rst.x490.x485.x476.rs.dns-oarc.net.
"178.63.21.2 DNS reply size limit is at least 490"
"178.63.21.2 lacks EDNS, defaults to 512"
"Tested at 2010-04-30 13:41:05 UTC"
This seems to say dnscache lacks EDNS. Can anyone with more knowledge of DNS comment whether djbdns is affected?

--
Banu
1. Re:What about djbdns? by Anonymous Coward · 2010-04-30 02:33 · Score: 4, Informative
  
  djbdns does lack EDNS, which means you're already screwed if you don't want to fall back to TCP for large responses, e.g., that contain IPv6 glue. Djbdns is no longer maintained by the author and doesn't support EDNS or DNSSEC (regardless of whether Bernstein thinks it is a good idea -- larger answers and DNSSEC _are_ being deployed). It's long past time to put djbdns out of our misery. If for religious reasons you don't like BIND there is unbound (http://unbound.net/) that fully supports the DNS.
Re:Huh? by SharpFang · 2010-04-30 02:12 · Score: 4, Informative

It's not about blocking, it's about limit. DNS requests/replies are by nature very short - there's not much data to be transferred. So you can reliably believe if someone is transferring more than a kilobyte of data per packet on DNS port, they are performing some kind of DoS. You just restrict maximum packet size and everything is dandy. Then a new version of the protocol comes that has more overhead and suddenly valid requests are longer than 1K. Oops.

--
45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
idiot article by Gothmolly · 2010-04-30 02:14 · Score: 2, Funny

Not everyone runs Windows^Wa DNS cache, you insensitive clod!

--
I want to delete my account but Slashdot doesn't allow it.
Things only break in some circumstances... by Anonymous Coward · 2010-04-30 02:14 · Score: 4, Informative

This story is a bit sensationalist.
DNS resolution will break if the resolving server claims to support EDNS0 AND requests DNSSEC validation but isn't able to receive large UDP responses. Servers which don't support EDNS0 will fail the tests but will still work perfectly come May 5th
Mod parent up, this is just FUD by Abcd1234 · 2010-04-30 02:23 · Score: 2, Informative

Oh, and kudos to kdawson for continuing the streak of truly shitacular articles. Well done!
Netalyzr includes tests for this... by nweaver · 2010-04-30 02:25 · Score: 5, Informative

Netalyzr also checks for this, both for the client and for the DNS resolver, and reports specifically the DNS resolver's status.
The resolver side tests include actual DNS MTU, advertised MTU, EDNS and DNSSEC requseting, whether the resolver can failover to using TCP, and other related issues.
Overall, the "512B" thing is largely a myth, a few resolvers have this problem but most don't. Rather, the big problem is lack of support for fragmented responses, which won't affect deployment from the root but will affect things when zones start getting signed.
For the end system connection, however, the "512B" or "No EDNS" is a bit more common, but still fragmentation is overall a larger issue.

--
Test your net with Netalyzr
That's okay by LordNimon · 2010-04-30 02:39 · Score: 5, Funny

We can celebrate Sync-o de Mayo!

--
And the men who hold high places must be the ones who start
To mold a new reality... closer to the heart
What does DNSSEC mean for ISPs that mess wtih DNS? by jonwil · 2010-04-30 02:44 · Score: 5, Interesting

Does DNSSEC mean that an ISP with a caching DNS server that returns an IP address other than the correct IP address cant do it anymore (i.e. clients that support DNSSEC will respond with an error)?
Does DNSSEC do anything about NXDOMAIN fiddling? (are there any proposals out there that would allow users to get around ISPs that point NXDOMAIN at ad-laden ISP search pages or is using a non-ISP caching DNS server the only option here?)
Cisco PIX is affected by gazuga · 2010-04-30 03:35 · Score: 3, Informative

If you have an old PIX or old firmware (6.3(2) or older) then you will be affected. And if you do, you should just go ahead and upgrade to an ASA at this point. ;)

--
"I turn away with fright and horror from the lamentable evil of functions which do not have derivatives."
Re:Huh? by iburrell · 2010-04-30 04:37 · Score: 2, Informative

DNS uses UDP by default. If the response is too big for UDP, then it switches to TCP. The limit for UDP packets used to be 512 bytes but extensions allow the size to be much larger. Old firewalls think that 512-bytes is the limit of DNS over UDP and block any longer packets.
Simple solution ... by PPH · 2010-04-30 04:38 · Score: 3, Funny

Grab a copy of the DNS namespace and load it into /etc/hosts.

--
Have gnu, will travel.
Re:What does DNSSEC mean for ISPs that mess wtih D by phantomcircuit · 2010-04-30 07:26 · Score: 2, Interesting

DNS clients that request Authenticated Data will be able to detect that the response is not authentic. So it depends on how the DNS client handles that situation.
Possibly the ISP could fake there being no DNS servers supporting DNSSEC available and convince the client to accept the un-signed version. I suspect that turning on DNSSEC on all the root servers is specifically designed to stop this though.