[dns-operations] No public calendar for the root signing deployment

Stephane Bortzmeyer bortzmeyer at nic.fr
Thu Dec 10 16:07:23 UTC 2009


On Thu, Dec 10, 2009 at 03:08:11PM +0000,
 Dobbins, Roland <rdobbins at arbor.net> wrote 
 a message of 21 lines which said:

> my guess is that the majority of boxes with this problem are likely
> to be old, forgotten, and essentially orphaned, 

A majority of the boxes, yes, but may be not a majority of human users
behind. I've met personally several big firewalls, managed by
full-time people, with a limit of 512 bytes for the DNS (not in the
code, but in the configuration, so asking for a software upgrade is
useless).

These people may be receptive to well-crafted advices.

One reason why it is so is because a lot of the security advices,
templates, HOWTO, that you can find by browsing the Web still today
tells you to limit to 512 bytes. Typical example:

http://www.cisco.com/web/about/security/intelligence/dns-bcp.html

DNS message size limitations [...] This function is enabled by default
with a limit of 512 bytes.



More information about the dns-operations mailing list