[AusNOG] Are you DNSSEC Ready?

Noel Butler noel.butler at ausics.net
Sun May 2 15:39:02 EST 2010 

tst tst tst did you miss the Copyright notice Karl?

The URI for that info is actually
https://www.dns-oarc.net/oarc/services/replysizetest


On Sun, 2010-05-02 at 14:19 +1000, Karl Kloppenborg wrote:

> Hey Noggers! 
> 
> 
> 
> With the DNSSEC roll date set to 5th of may (oh look, that's in three
> days!)
> 
> 
> 
> Are you ready?
> 
> 
> I was a bit bored this morning and decided to pay a visit into some of
> my VM's with different providers and ran some DNS Resolver tests to
> see how everyone was **rigging** up with DNSSEC.
> Some interesting results :D
> 
> 
> Operating system of VM: Centos 
> Number of VM hosts: 15
> Command used to test: dig +short rs.dns-oarc.net txt
> Number of hosts who were DNSSEC ready: 4
> Number of hosts who were NOT DNSSEC ready: 11
> 
> 
> To test if your resolver is DNSSEC ready issues the following
> command: dig +short rs.dns-oarc.net txt
> 
> 
> Your results should be along these lines:
>         rst.x4001.rs.dns-oarc.net.
>         rst.x3985.x4001.rs.dns-oarc.net.
>         rst.x4023.x3985.x4001.rs.dns-oarc.net.
>         "192.168.1.1 sent EDNS buffer size 4096"
>         "192.168.1.1 DNS reply size limit is at least 4023 bytes"
>         
> 
> 
> No EDNS
> 
> The following result comes from a DSL router that does not support
> EDNS:
> 
> 
>         rst.x486.rs.dns-oarc.net.
>         rst.x454.x486.rs.dns-oarc.net.
>         rst.x384.x454.x486.rs.dns-oarc.net.
>         "X.X.X.X DNS reply size limit is at least 486 bytes"
>         "X.X.X.X lacks EDNS, defaults to 512"
>         
> IP Fragments Filtered
> 
> If you're behind a firewall that filters IP fragments, you can expect
> to see a reply size limit slightly less than 1400 bytes:
> 
> 
>         rst.x1014.rs.dns-oarc.net.
>         rst.x1202.x1014.rs.dns-oarc.net.
>         rst.x1382.x1202.x1014.rs.dns-oarc.net.
>         "X.X.X.X sent EDNS buffer size 4096"
>         "X.X.X.X DNS reply size limit is at least 1382 bytes"
>         
> 
> 
> 
> 
> I also tested this on a number of common modem brands including the
> new range of Netgear and DLINK, again a lot don't seem to be
> supporting DNSSEC.
> 
> 
> 
> 
> So, what are we all doing about it? does everyone have a rollover
> plan?
> 
> 
> Do tell :)
> 
> 
> 
> 
> 
> 
> Cheers!
> Karl Kloppenborg
> Technical Director @ Karltec
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> P 02 8014 4253  EXT:104  | M 0438475892  |  www.karltec.net
> 
> 
> 
> Please consider the environment before printing this email. Think
> before you print. 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20100502/69048e92/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Logo.jpg
Type: image/jpeg
Size: 17922 bytes
Desc: not available
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20100502/69048e92/attachment.jpg>

More information about the AusNOG mailing list