Web Development optimize

DNSSEC unlikely to break Internet on May 5

DNSSEC is being applied to the last of the Internet's root servers on May 5. Are your DNS servers, routers, and firewalls ready for the switch?

If you haven't done so already, May 5 will be a good day to make sure your network is ready for DNSSEC. On May 5, the last of the Internet's 13 root servers will transition to (Domain Name System Security Extensions) DNSSEC. While the transition won't bring Internet traffic to a screeching halt, it could pose a problem for network administrators and users working with older DNS servers, routers, firewalls, and modems.

What is DNSSEC?

In his 2008 TechRepublic article, "You don't have to wait to deploy DNSSEC," Tom Olzak explained the rationale behind DNSSEC, how it works, and the challenges it faces. He wrote:

DNSSEC (Domain Name System Security Extensions) is a suite of specifications which implement record signing to ensure the integrity of certain types of transactions.  It uses both asymmetric and symmetric cryptography for RR (Resource Record) or zone transfer transactions, respectively.  To ensure the authenticity of information received by a resolver. ... Securing DNS with DNSSEC begins with establishing a chain of trust.  Resolvers use ‘anchor keys' to verify parent domains, beginning with the trust anchor.

Of the challenges Olzak mentions, one is of particular importance to those supporting or working on older network equipment. According to Olzak,

DNSSEC will increase DNS traffic with more requests and larger responses.  Domains with high volume traffic should prepare for increased bandwidth needs.

DNSSEC could slow/stop Internet traffic for some

It is the "larger responses" that some have said could cause problems on May 5. Mark Newton, a network engineer for Australian ISP Internode, described the issue in a post on the company's blog:

Until relatively recently, DNS responses have usually been limited to 512 bytes, and have mostly been carried by an Internet protocol called "UDP". So various bits of infrastructure such as firewalls and home ADSL routers have been designed on the assumption that all DNS responses are 512 bytes or less, transported by UDP. The problem, of course, is that the digital signatures required by DNSSEC tend to push the size of DNS responses past the 512 byte point.

This shouldn't present a huge challenge, because the DNS protocol has a mechanism for transporting larger responses by sending them over TCP instead of UDP. But the mechanism has been so rarely needed that many vendors haven't implemented it. Indeed, large DNS responses have been so rare that some firewall vendors and some companies' security managers have actively blocked them on the assumption that the only possible reason they'd exist would be as part of an attack!

As Newton puts it, "there's a reasonable expectation that people who aren't correctly processing large DNS responses will suffer connectivity problems to random bits of the Internet."

What you should do?

In a May 4 article, iTnews.com.au provided tips from several experts on making sure your network and end users are ready for DNSSEC.

  1. If you haven't done so already, make sure your DNS servers, routers, and firewalls, can handle DNS requests with packet sizes larger than 512 bytes. Upgrade software and firmware if necessary.
  2. Configure your firewall to allow DNS over TCP/53 and make sure "fragmented DNS responses over UDP or TCP aren't blocked."
  3. If you support users' home equipment, make sure it is also compatible with DNSSEC, especially if the device has a built-in DNS server. Install new firmware if necessary.

No one seems to be predicting that the May 5 DNSSEC changes will cause a significant Internet disruption, but it never hurts to make sure your network and your users are prepared. If you're not sure, you can use the instructions at DNS-OARC to test if  your current DNS resolver can handle DNSSEC .

Additional DNSSEC resources:

About

Bill Detwiler is Managing Editor of TechRepublic and Tech Pro Research and the host of Cracking Open, CNET and TechRepublic's popular online show. Prior to joining TechRepublic in 2000, Bill was an IT manager, database administrator, and desktop supp...

25 comments
oldpaul99
oldpaul99

"RCP/53" should be changed to "TCP/53"

Bill Detwiler
Bill Detwiler

Doh! Thanks for catching and alerting me to that typo. It should indeed by TCP/53 not RCP/53. My finger slipped one key to the left. It's fixed now.

pgit
pgit

Seriously, great article. I had read the Olzak article when it came out but completely fuzzed on the date. To my understanding my ISP does strip headers before sending them along the local segment(s). Now there's a local make work program for ya, any hijacking or spoofing going on now is going to have to be a homespun industry. Wonder if the local chilluns tagging the underpasses with "Linux" and "hack the kernel" know the market is all theirs now...

wprice
wprice

Good article. I'll be watching how well things work next week when cached data starts to refresh.

taylorstan
taylorstan

How bad will this effect home users? I'm assuming the majority of this will be handed at the core and edge levels of the ISP's network, because there is no way I see them being able to upgrade all the different brands and versions of routers they send out to customers. So basiclly if will be up to the ISP's to provide for the encreased bandwidth to their DNS servers....looks like another price increase on the internet bill.

Bill Detwiler
Bill Detwiler

I think most ISPs have prepared for the May 5th transition and home users shouldn't suffer widespread outages. There is always a chance however, that home users with older equipment could lose their Internet connection. Particularly if they have ADSL modems that are configured to use an internal DNS proxy instead of the ISPs DNS servers. In these cases, home users will need to disable the modem's internal DNS server, upgrade the device's firmware, or perhaps is rare cases, get a new modem. I think the last option will be very rare.

shido641
shido641

Read the article and was thinking this while i was reading. Doesn't seem to me that home users would have been effected as you said because their ISP's would have or should have dealt with the switch to DNSSEC. Anyways like you said home users would have been effected had they been using personal dns's instead of the isp's but anyways things should be smooth sailing from here on.

kevaburg
kevaburg

strip the DNSSEC header off the packet before it reaches the home user? That way no unneccessary upgrades will be required and the packet will stay at around the 512MB mark. Or reduce the payload in the packet so that although less data is sent with each packet, it remains compatible with consumer equipment. It seems a little off to me that consumers must upgrade equipment to account for the new changes.

kferraro
kferraro

was anyone else totally confused and irritated by the autoplay MS Office 2010 ads on the margin? Come on TR (and MS) let's draw the line on something that is so intrusive that it detracts from the content. (Sorry Bill, good article as usual and you don't control the advertising around your article placement)

Lazarus439
Lazarus439

I hope TR is getting a lot of money for these @#!#$% ads, because they will drive some folks away and annoy most of those who hang around. Not sure which category I'm in - probably the latter - but annoyed "customers" are rarely "happy" customers!

NickNielsen
NickNielsen

But I got tired of that crap years ago and took matters into my own hands; I'm using Firefox with NoScript and AdBlock. I recommend the same to all my customers. If you have to use IE, I understand IE7Pro will allow you to block this kind of ad. http://www.ie7pro.com/

Joshua1
Joshua1

Hopefully they've stopped invading visitors' speakers w/o permission. Love the site, been coming here for years, I just don't like my speakers to jump to life at unexpected intervals. Anyway, I've been visiting for years and I like the site. So to TR - if you've turned it off already: Thank you!

erik.langeland
erik.langeland

I use AdBlock in Firefox and IEPro in IE to block all Flash ads. You can also get Flash blocking extensions for Firefox.

seanferd
seanferd

AdBlock Plus, NoScript, Flashblock... I don't mind allowing display of ads to support a site - I'll even click through occasionally. But some are simply so annoying that they must go.

Bill Detwiler
Bill Detwiler

I'll definitely pass your annoyance along to our customer service and ad department. Honestly, I don't mind the autoplay margin ads so long as they don't have sound. As other members have pointed out, there's always FF and AdBlock or NoScript.

Lazarus439
Lazarus439

Not you, the marketing ID-Ten-T's. I don't think anyone has complained about the video portion of the; all the complaints have been acount the audio track that just blurts out.

Joshua1
Joshua1

I've been coming here for 11 years so w/ all the due respect and support from someone who likes the TR site, I hope they'll stay off my sound card. Just b/c you can, doesn't mean you should. As for the customers need to install new software or browsers to make the site more bearable......it's easier just to go another tech site. Bill, thank you for passing our input to CS/Marketing. Thanks for always replying to the comments, it's part of what makes TR great. - Joshua

mattohare
mattohare

I know they pay the bills when sites don't charge me. Some are actually useful. I do sometimes wish sites' owners/executives would sit through some of them though.

TexasJetter
TexasJetter

Second that - autoplay ads have to go! What's worse is that there are two MS ads playing AT THE SAME TIME!

bobdavis321
bobdavis321

What, are you still living in the stone age? STILL using Internet Exploiter when there are better alternatives?

BubbaGlock
BubbaGlock

I see an ad off to the right but it ain't movin' or singin' one BIT..... < no pun intended!

Joshua1
Joshua1

What are you doing??? I can't believe you're allowing autoplay ads with sound to run on your site. Who wants to hunt across tabs to figure where it is, then hunt through the page to turn it off? Dumb idea.

SgtPappy
SgtPappy

talking about and what does it have to do with DNSSEC? Go complain about MS to MS.

mattohare
mattohare

It was a flash movie, played over and over. It was meant to call attention to stroke prevention, I think. But it was painful. Every 30 seconds for several minutes at a time, and no way to get rid of it.