[dns-operations] Announcement: Test Report on DNSSEC impact on SOHO CPE
Mark Andrews
Mark_Andrews at isc.org
Tue Sep 16 01:18:06 UTC 2008
In message <1ABCF76F-5D5D-471E-9801-3D0C09A71836 at yahoo-inc.com>, Jason Fesler w
rites:
> On Sep 15, 2008, at 7:16 AM, Ray.Bellis at nominet.org.uk wrote:
> > We would like to announce the publication of a joint study entitled
> > "DNSSEC Impact on Broadband Routers and Firewalls", available for ...
>
> Thank you *very* much for publishing this research - Good stuff, even
> if depressing.
It's not really not that bad. If one is deploying DNSSEC
today behind one of these boxes you will almost certainly
have your own caching server and it will work as routed
packets passed through ok. This is the only way you get
to specify policy.
While there is room for improvement these boxes will not
prevent the deployment of DNSSEC.
Route DNS to Upstream Resolver
When LAN clients send DNS queries directly to the ISP's DNS, the
router/firewall should route them transparently to that upstream
resolver. Packets are firewalled and NAT'ed, but DNS client/server
interaction (including DNSSEC) should not be impeded.
One unit repeatedly experienced a possible memory leak when routing
our longest response, while another intercepted and proxied queries
addressed to upstream resolvers (fixed in newer firmware). These
exceptions demonstrate that transparent routing should not be taken
for granted. But as a rule, we found that router/firewalls can
generally route DNSSEC queries to upstream resolvers transparently,
without adverse impact.
The rest of our findings pertain to router/firewall DNS proxy
operation - the usage mode experienced by most residential broadband
consumers.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the dns-operations
mailing list