[dns-operations] [Root signing] A press release from AFNIC

[Stephane Bortzmeyer]

[Reminder: we had a discussion here a few weeks ago about how to tell
people in advance about the signing of the root and its consequences
for some misconfigured networks. Here is AFNIC public contribution.]

http://www.afnic.fr/actu/nouvelles/240/afnic-invites-network-managers-to-prepare-for-the-signing-of-the-dns-root-in-may-2010


AFNIC invites network managers to prepare for the signing of the DNS root in May 2010
Published in:
Press release
Saint Quentin en Yvelines, January 28th, 2010


>From May 2010, all the root servers on which the working of the domain name system depends, will be giving DNS responses signed by using the DNSSEC protocol.

This evolution aims for increasing the confidence in DNS responses (by authenticating their origin); administrators of networks connected to Internet should be aware that this evolution could cause some service disruptions.

In fact, the changes in the root server configuration could lead to a DNS disconnection risk, and therefore disruption of Internet service in certain cases.

AFNIC's advice

1. Check whether your network, as well as your DNS service, could be concerned by this potential dysfunction, on a machine where the dig software is set up:

dig +short rs.dns-oarc.net txt

2. Check that the response indicates more than 1500 bytes. For instance:

"203.0.113.1 DNS reply size limit is at least 4023 bytes"

3. Analyze the whole network and the intermediate equipments (firewalls), then make sure that everything has been properly configured, in case the tests indicate that the packets which are bigger than 1500 bytes can't get through.

4. Another alternative, if you do not have a simple DNS client like dig:
<http://labs.ripe.net/content/testing-your-resolver-dns-reply-size-issues>

This tool, developed by the RIPE-NCC, requires Java.

5. For end users (company, university or domestic ISP subscriber), please check with your ISP.

Technical background 

[...]