[plug] DNS root servers are switching to DNSSEC on the 5th May

Adrian Woodley Adrian at ScreamingRoot.org
Sun May 9 21:01:22 WST 2010 

G'day Bill, PLUG,

 From memory iiNet are using Nominum Caching Name Servers.  The dns-oarc 
page has a section on Nominum CNS:

...
Nominum's CNS resolver is designed to utilize EDNS only after first 
receiving a truncated response. To use this test with a  CNS resolver, 
issue the following query:

    $ dig tcf.rs.dns-oarc.net txt
       

The special name "tcf" instructs the server to set the TC bit in 
responses if the query doesn't have an EDNS pseudo-record. This should 
cause CNS to re-query with EDNS.
...

Testing using this request shows that iiNet's DNS passes:

a at Death:~$ dig tcf.rs.dns-oarc.net txt @203.0.178.191

; <<>> DiG 9.7.0-P1 <<>> tcf.rs.dns-oarc.net txt @203.0.178.191
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7484
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;tcf.rs.dns-oarc.net.        IN    TXT

;; ANSWER SECTION:
tcf.rs.dns-oarc.net.    60    IN    CNAME    tcf.x3831.rs.dns-oarc.net.
tcf.x3831.rs.dns-oarc.net. 59    IN    CNAME    
tcf.x3837.x3831.rs.dns-oarc.net.
tcf.x3837.x3831.rs.dns-oarc.net. 58 IN    CNAME    
tcf.x3843.x3837.x3831.rs.dns-oarc.net.
tcf.x3843.x3837.x3831.rs.dns-oarc.net. 57 IN TXT "203.55.230.105 DNS 
reply size limit is at least 3843"
tcf.x3843.x3837.x3831.rs.dns-oarc.net. 57 IN TXT "Tested at 2010-05-03 
00:52:03 UTC"

;; Query time: 2648 msec
;; SERVER: 203.0.178.191#53(203.0.178.191)
;; WHEN: Mon May  3 08:52:03 2010
;; MSG SIZE  rcvd: 220

Looks like you can put your tinfoil helmet away for now.

Adrian

On 01/05/10 17:32, William Kenworthy wrote:
> Here is an interesting fact ... the DNS root servers are switching to
> (fully, some are already using it) DNSSEC on the 5th May.  The slashdot
> article
> (http://tech.slashdot.org/firehose.pl?op=view&type=story&sid=10/04/30/1258234) says some businesses with out of date hardware might be affected and gives a test site (https://www.dns-oarc.net/oarc/services/replysizetest)
>
> A host at work was fine, but iinet from home failed for me - the
> operating system/local DNS/firewalls on my side are pretty much the same
> for both tests, just location and upstream differ.
>
> slashdot is predicting the sky is falling as well as no its not,
> everything will be fine as usual! - I dont know enough to say one way or
> the other.
>
> I await the 5th of may with my tinfoil helmet at the ready :)
> BillK
>
>    

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.plug.org.au/pipermail/plug/attachments/20100509/6db3e526/attachment.html>

More information about the plug mailing list