Almost Ready for DNS-SEC but Slightly Confused in Home Stretch
michael at rancid.berkeley.edu
Sat Dec 11 20:10:25 UTC 2010
On 12/10/10 08:17, Martin McCormick wrote:
> As a reminder, none of this is on our master DNS yet so
> we are still doing the normal activities. Our firewalls are
> supposed to be adjusted to allow the 4096-byte DNS packets in
> the next day or so so all the testing is being done on another
> box for now.
Note that the EDNS0 standard (RFC 2671) does not limit the size of
EDNS0-enabled UDP responses to 4096 bytes, and many implementations can
be configured to accept UDP response sizes up to 65536 bytes. 4096 is
merely the default. As long as you're modifying firewalls now, you
might want to allow for a larger UDP response.
In addition, don't assume you can block TCP/53 (or limit TCP responses
to 4096 bytes) just because you allow EDNS0 responses. First, some
implementations have smaller EDNS0 buffers and will more quickly fall
back to TCP. Second, some responses will still be larger than 4096
bytes. When I was signing berkeley.edu with both algorithms 5 and 10, a
query of "berkeley.edu ANY" yielded a response of over 4100 bytes!
It sounds like you're being careful with your FW, but I thought I'd let
you know of some gotchas anyway. It's a reason to follow Kevin's advice
and publish your signed zones without publishing the keys, so that you
can see if the larger responses cause problems.
More information about the bind-users