Be alert but not alarmed, DNSSEC rollout completes 6am tomorrow!

Discussion in 'Networking, Telephony & Internet' started by mike-s, May 4, 2010.

  1. mike-s

    mike-s Member

    Joined:
    Dec 15, 2003
    Messages:
    1,865
    Location:
    Sydney, Australia
    original article here

    For those who can't be arsed reading the article (tl-dr if you will), the way DNS works on the internet is a-changing and your old router or firewall may not be able to take the change in behaviour.

    This change isn't likely to affect residential users as it's likely to be filtered/made transparent by your isp. But for those of us in corporate-world DNS is changing. DNSSEC rollout is nearing completion and as of tomorrow all root dns servers will give out digital signatures with every DNS request. For some old devices (or the networks behind them) the immediate effect is that DNS might magically stop as the reply size will increase from a maximum of 512 bytes to a total of 2k. The reason behind this is that originally it was assumed that the reply would never need to go above 512 bytes, so a lot of equipment automatically drops dns response packets that exceed that size.

    Tomorrow may not affect you whatsoever, or it may be the day you realise you and your network are both up shit creek, you have been warned.
     
  2. cs-cam

    cs-cam Member

    Joined:
    Oct 17, 2007
    Messages:
    742
    Location:
    Brisbane, QLD
    The reason is DNS currently used UDP for transport however with responses larger than 512 bytes (as of tomorrow, all of them) it falls back to TCP. If your firewall is only configured to allow UDP requests on port 53 then you're going to have problems. Anything else and you're fine.
     
  3. evilasdeath

    evilasdeath Member

    Joined:
    Jul 24, 2004
    Messages:
    4,677
    Changes will happen between 17:00 > 19:00 UTC

    17:00:00 Wednesday May 5, 2010 in UTC converts to
    03:00:00 Thursday May 6, 2010 in GMT+10

    19:00:00 Wednesday May 5, 2010 in UTC converts to
    05:00:00 Thursday May 6, 2010 in GMT+10

    Thursdays the day in Australia :)

    I think it could be an awesome start to Thursday more so than Wednesday if shit hits the fan.
     
  4. caironet16

    caironet16 Member

    Joined:
    Mar 12, 2002
    Messages:
    233
  5. OP
    OP
    mike-s

    mike-s Member

    Joined:
    Dec 15, 2003
    Messages:
    1,865
    Location:
    Sydney, Australia
    I didn't realise there would be a whole fallback to tcp, you learn something new every day. Some people are going to be a whole new level of screwed,

    I'll blame my boss, he initially mentioned this as a problem that is going to happen today and i took his word on that *facepalm*
    Cruel yet malicious, i kinda like it!
     
  6. Falkor

    Falkor Member

    Joined:
    Jun 27, 2001
    Messages:
    3,974
    Location:
    Sydney
    So how do we properly prepare for this then?

    Is there any info anywhere? :p

    I've been looking around, but am probably looking in the wrong places :(
     
  7. caironet16

    caironet16 Member

    Joined:
    Mar 12, 2002
    Messages:
    233
    All you can do is hope for the best. Hopefully everything just works but judging by the sheer vastness of the internet there is bound to be problems imo.

    For instance if someone was waiting to launch a DDoS attack on the root DNS servers, they would probably wait until some of them go down for the upgrade and then target the remaining ones.

    Apart from that the odd DNS server will probably fall over.

    Maybe have a list of backup IP's ready just incase.
     
  8. Falkor

    Falkor Member

    Joined:
    Jun 27, 2001
    Messages:
    3,974
    Location:
    Sydney
    Ok Well. For anyone interested. We run Cisco ASA's and have an MS network so we have MS DNS Servers.

    By default on the ASA's its set to a max DNS Packet size of 512 bytes. (Well mine were)
    I changed there here:

    policy-map type inspect dns
    parameters
    message-length maximum 2048

    And our MS DNS Servers weren't enabled for EDNS, which is required for >512 Bytes. So I followed the instructions here to do that:
    http://technet.microsoft.com/en-us/library/cc787130(WS.10).aspx

    I found the test tool in the ITNews article helpful :)
     
  9. evilasdeath

    evilasdeath Member

    Joined:
    Jul 24, 2004
    Messages:
    4,677
  10. OP
    OP
    mike-s

    mike-s Member

    Joined:
    Dec 15, 2003
    Messages:
    1,865
    Location:
    Sydney, Australia
    The main reason this whole stink was being kicked up is that the last server that you could "fall back" to if the others didn't provide a satisfactory response for your system is now being upgraded to DNSSEC. Which means if you have network gear that is not compatible with the new format and some upstream equipment isn't providing a reverse translation for you, you're in the shit.
     
    Last edited: May 5, 2010
  11. Iceman

    Iceman Member

    Joined:
    Jun 27, 2001
    Messages:
    6,647
    Location:
    Brisbane (nth), Australia
    I'd really like a test to confirm my server 2003 dns and firewall can handle this.. none of the ones I've found are particularly conclusive.
     
  12. Falkor

    Falkor Member

    Joined:
    Jun 27, 2001
    Messages:
    3,974
    Location:
    Sydney
    Well the world didn't end, so I think we are ok! :p
     
  13. gords

    gords Oh deer!

    Joined:
    Aug 3, 2001
    Messages:
    6,607
    Location:
    Sydney, Australia
    It might take some time to see the results of the changes due to cached DNS results though.
     
  14. darth_wolf

    darth_wolf Member

    Joined:
    Jul 20, 2007
    Messages:
    1,662
    Next g network died in QLD around about 5am didnt it?

    could it be DNS related?
     
  15. caironet16

    caironet16 Member

    Joined:
    Mar 12, 2002
    Messages:
    233
    Quite possible. AAPT seems fine I'm on the 24/7 Unlimited plan, working great.
     
  16. evilasdeath

    evilasdeath Member

    Joined:
    Jul 24, 2004
    Messages:
    4,677
    I think coincidence
     
  17. SirNemesis

    SirNemesis Member

    Joined:
    Sep 22, 2002
    Messages:
    1,432
    Location:
    Geelong
    Having some DNS issues with Pacific Internet at the moment...
     
  18. gords

    gords Oh deer!

    Joined:
    Aug 3, 2001
    Messages:
    6,607
    Location:
    Sydney, Australia
  19. darth_wolf

    darth_wolf Member

    Joined:
    Jul 20, 2007
    Messages:
    1,662
    hmmm, was funny while it lasted though
     

Share This Page