[AusNOG] Are you DNSSEC Ready?

Karl Kloppenborg karl at karltec.net
Sun May 2 14:19:48 EST 2010 

Hey Noggers! 

With the DNSSEC roll date set to 5th of may (oh look, that's in three days!)

Are you ready?

I was a bit bored this morning and decided to pay a visit into some of my VM's with different providers and ran some DNS Resolver tests to see how everyone was **rigging** up with DNSSEC.
Some interesting results :D

Operating system of VM: Centos 
Number of VM hosts: 15
Command used to test: dig +short rs.dns-oarc.net txt
Number of hosts who were DNSSEC ready: 4
Number of hosts who were NOT DNSSEC ready: 11

To test if your resolver is DNSSEC ready issues the following command: dig +short rs.dns-oarc.net txt

Your results should be along these lines:
rst.x4001.rs.dns-oarc.net.
rst.x3985.x4001.rs.dns-oarc.net.
rst.x4023.x3985.x4001.rs.dns-oarc.net.
"192.168.1.1 sent EDNS buffer size 4096"
"192.168.1.1 DNS reply size limit is at least 4023 bytes"

No EDNS

The following result comes from a DSL router that does not support EDNS:

rst.x486.rs.dns-oarc.net.
rst.x454.x486.rs.dns-oarc.net.
rst.x384.x454.x486.rs.dns-oarc.net.
"X.X.X.X DNS reply size limit is at least 486 bytes"
"X.X.X.X lacks EDNS, defaults to 512"
IP Fragments Filtered

If you're behind a firewall that filters IP fragments, you can expect to see a reply size limit slightly less than 1400 bytes:

rst.x1014.rs.dns-oarc.net.
rst.x1202.x1014.rs.dns-oarc.net.
rst.x1382.x1202.x1014.rs.dns-oarc.net.
"X.X.X.X sent EDNS buffer size 4096"
"X.X.X.X DNS reply size limit is at least 1382 bytes"


I also tested this on a number of common modem brands including the new range of Netgear and DLINK, again a lot don't seem to be supporting DNSSEC.


So, what are we all doing about it? does everyone have a rollover plan?

Do tell :)



Cheers!
Karl Kloppenborg
Technical Director @ Karltec








P 02 8014 4253  EXT:104  | M 0438475892  |  www.karltec.net

Please consider the environment before printing this email. Think before you print. 




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20100502/e61ac4b7/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Logo.jpg
Type: image/jpeg
Size: 17922 bytes
Desc: not available
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20100502/e61ac4b7/attachment.jpg>

More information about the AusNOG mailing list