[news release] From May 2010, all the root servers on
which the working of the domain
name system depends, will be giving DNS responses signed by using the
DNSSEC protocol.
This evolution aims for increasing the confidence in DNS responses (by authenticating their origin); administrators of networks connected to Internet should be aware that this evolution could cause some service disruptions.
In fact, the changes in the root server configuration could
lead to a DNS disconnection risk, and therefore disruption of Internet
service in certain cases.
AFNIC’s advice
1. Check whether your network, as well as your DNS service, could be concerned by this potential dysfunction, on a machine where the dig software is set up:
dig +short rs.dns-oarc.net txt
2. Check that the response indicates more than 1500 bytes. For instance:
"203.0.113.1 DNS reply size limit is at least 4023 bytes"
3. Analyze the whole network and the intermediate equipments (firewalls), then make sure that everything has been properly configured, in case the tests indicate that the packets which are bigger than 1500 bytes can’t get through.
4. Another alternative, if you do not have a simple DNS client
like dig:
This tool, developed by the RIPE-NCC, requires Java.
5. For end users (company, university or domestic ISP
subscriber), please check with your ISP.
Technical background
The DNS root is signed with the DNSSEC technology. In 2010, the root
servers will start giving signed responses. From next May , the 13 root
DNS servers will send the DNSSEC information. This includes
cryptographic signatures, whose size is about five to ten times the
standard DNS responses size. These signatures will exceed the DNS 512
bytes previous limit, and sometimes, even the 1500 bytes of the Ethernet
MTU (“Maximum Transmit Unit”), the most widely used on Internet.
In fact, RFC 2671, which extended the 512 bytes limit, was published in
August 1999, and is more than ten years old. There are still some
firewalls or other network equipments, which are badly designed or not
properly configured, and will reject the DNS responses more than 512
bytes long.
Among the equipments which accept longer responses, some of
them don’t correctly handle the IP packet fragmentation (For instance:
because they may block all the ICMP packets) and therefore, they cannot
receive DNS packets larger than the MTU (generally 1500 bytes).
Some of the networks which reject DNS packets larger than 512 bytes, or
even the ones which only reject those longer than 1500 bytes, will no
longer be able to “communicate” with the DNS root after May 2010
(Indeed, this means that they will no longer get any response); and
therefore, they will practically be unable to access to Internet
Glossary:
DNS: en.wikipedia.org/wiki/Domain_Name_System
DNSSEC: en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions
ICMP:
en.wikipedia.org/wiki/Internet_Control_Message_Protocol
MTU: en.wikipedia.org/wiki/Maximum_Transmission_Unit
ROOT: the set of servers spread around the world, and upon
which the domain names system relies. These servers have a key role in
dispatching the requests to the right name servers of the relevant TLD (Top-Level
Domain) such as .fr or.com.
Some useful links:
- The root signing plan announcement
- The official website for the signing project
,
with the roll-out timetable
- Instructions for a root server
- Can your DNS server accept any size packet (in French)?
- A French language mailing list about the DNS, where you can
get support from peers
About AFNIC
(Association Française pour le Nommage Internet en Coopération )
Non-profit organization, AFNIC is in charge of the administrative and
technical management of the .fr (France) and .re
(Reunion Island) Internet domain names.
AFNIC brings together public and private members: representatives from
the French government, Internet users and Internet Service Providers
(Registrars).
For further information, see www.afnic.fr/afnic/presentation
To register your .FR domain name, check out EuroDNS here.
This AFNIC news release was sourced from:
www.afnic.fr/actu/nouvelles/240/afnic-invites-network-managers-to-prepare-for-the-signing-of-the-dns-root-in-may-2010