Preparing for upcoming DNSSEC changes on 5/5

Kalman Feher kalman.feher at
Mon May 3 13:37:49 UTC 2010

On 1/05/10 7:10 PM, "Server Administrator" <server53admn at> wrote:

> I tried OARC's DNS Reply Size Test on two of my name servers, both on
> the same network, behind the same firewall & router.
> Both came back and reported "DNS reply size limit is at least 3843"
> (results below).
> Is 3843 close enough to 4096 to keep me safe next Wednesday (May 5th)?
>  If not, do the required remedies need to be applied in named.conf, or
> the router & firewall?  And if the latter, what, specifically, needs
> to be configured?
It really depends on what those remedies are...

First, consider the fact that a low UDP response will result in a TCP
attempt occasionally (when the response is greater that your effective
limit). So you should ensure that you can resolve queries using TCP. On the
occasions when TCP is not possible, it is regularly caused by intervening
network devices. So check firewalls and routers for filters that do not
allow DNS over TCP.

Also check for devices that inspect DNS queries. They can have some out of
date assumptions regarding sizes.

Second, make sure the tested effective size appears in your named.conf in
the options statement "edns-udp-size" on your resolver.

In your case:
 edns-udp-size 3843;

Finally, note that UDP is preferable for DNS so ensuring the largest
possible size will reduce the occurrence of TCP. Take a look at your
firewall settings for connection timeouts and consider what would happen if
all the short lived DNS UDP connections were suddenly replaced by longer
lived TCP connections.

> Other than OARC's page are there any sites that describe everything
> that needs to be done and checked to make sure we're good to go on
> 5/5?

It appears you are good to go.

Kal Feher 

More information about the bind-users mailing list