[dns-operations] Announcement: Test Report on DNSSEC impact on SOHO CPE

Mark Andrews Mark_Andrews at isc.org
Tue Sep 16 01:18:06 UTC 2008

In message <1ABCF76F-5D5D-471E-9801-3D0C09A71836 at yahoo-inc.com>, Jason Fesler w
> On Sep 15, 2008, at 7:16 AM, Ray.Bellis at nominet.org.uk wrote:
> > We would like to announce the publication of a joint study entitled
> > "DNSSEC Impact on Broadband Routers and Firewalls", available for ...
> Thank you *very* much for publishing this research - Good stuff, even  
> if depressing.

	It's not really not that bad.  If one is deploying DNSSEC
	today behind one of these boxes you will almost certainly
	have your own caching server and it will work as routed
	packets passed through ok.  This is the only way you get
	to specify policy.

	While there is room for improvement these boxes will not
	prevent the deployment of DNSSEC. 

Route DNS to Upstream Resolver

When LAN clients send DNS queries directly to the ISP's DNS, the
router/firewall should route them transparently to that upstream
resolver. Packets are firewalled and NAT'ed, but DNS client/server
interaction (including DNSSEC) should not be impeded.

One unit repeatedly experienced a possible memory leak when routing
our longest response, while another intercepted and proxied queries
addressed to upstream resolvers (fixed in newer firmware). These
exceptions demonstrate that transparent routing should not be taken
for granted. But as a rule, we found that router/firewalls can
generally route DNSSEC queries to upstream resolvers transparently,
without adverse impact.

The rest of our findings pertain to router/firewall DNS proxy
operation - the usage mode experienced by most residential broadband

Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the dns-operations mailing list