DNSSEC - Root zone - FUD
Kalman Feher
kalman.feher at melbourneit.com.au
Mon May 3 20:54:05 UTC 2010
On 3/05/10 10:25 PM, "Ray Van Dolson" <rvandolson at esri.com> wrote:
> David, I think you're exactly right. Lots of FUD, but, if I understand
> correctly, BIND does by default does send out EDNS0 signalling by
> default...
EDNS0 does not imply DNSSEC. So you can get large responses back for lots of
non DNSSEC queries. Having it enabled does not in anyway increase any risk
on the 5/5.
If you do not ask, you will not receive.
So if today you do not have DNSSEC enabled; dnssec-enable and
dnssec-validation (more recent BIND revisions), you will not receive the
signed response, EDNS0 enabled or not.
So these are your required checks:
Do I have DNSSEC enabled?
Yes - check your network as already discussed.
No - Have a coffee, relax and consider enabling it by July, at least to
test.
> so it's still prudent to check your own firewall setups to
> ensure you can handle the larger packet sizes.
Yes, this will be useful in the future. But not required this week.
> Worst case you see
> delays if they do not.
>
--
Kal Feher
More information about the bind-users
mailing list