Almost Ready for DNS-SEC but Slightly Confused in Home Stretch

Michael Sinatra michael at
Sat Dec 11 20:10:25 UTC 2010

On 12/10/10 08:17, Martin McCormick wrote:

> 	As a reminder, none of this is on our master DNS yet so
> we are still doing the normal activities. Our firewalls are
> supposed to be adjusted to allow the 4096-byte DNS packets in
> the next day or so so all the testing is being done on another
> box for now.

Note that the EDNS0 standard (RFC 2671) does not limit the size of 
EDNS0-enabled UDP responses to 4096 bytes, and many implementations can 
be configured to accept UDP response sizes up to 65536 bytes.  4096 is 
merely the default.  As long as you're modifying firewalls now, you 
might want to allow for a larger UDP response.

In addition, don't assume you can block TCP/53 (or limit TCP responses 
to 4096 bytes) just because you allow EDNS0 responses.  First, some 
implementations have smaller EDNS0 buffers and will more quickly fall 
back to TCP.  Second, some responses will still be larger than 4096 
bytes.  When I was signing with both algorithms 5 and 10, a 
query of " ANY" yielded a response of over 4100 bytes!

It sounds like you're being careful with your FW, but I thought I'd let 
you know of some gotchas anyway.  It's a reason to follow Kevin's advice 
and publish your signed zones without publishing the keys, so that you 
can see if the larger responses cause problems.


More information about the bind-users mailing list