Preparing for upcoming DNSSEC changes on 5/5

Lightner, Jeff jlightner at
Mon May 3 15:36:59 UTC 2010

I fear I've missed something important.

My Network admin is saying his understanding is we MUST make changes for
this 5/5 change on the root servers.   I was under the impression that
until we decide to implement DNSSEC ourselves we don't need to do
anything on our end to continue resolving.   

We already allow for udp 512 and tcp for DNS.

It sounds as if he read an article saying we have to implement DNSSEC on
our DNS servers or we'll quit working on 5/5?  Is that the case?

Also what is the drop dead date/time if so?  5/5 Midnight UTC?  Some
other time?

-----Original Message-----
From: at
[ at] On Behalf
Of Kalman Feher
Sent: Monday, May 03, 2010 9:38 AM
To: BIND users
Subject: Re: Preparing for upcoming DNSSEC changes on 5/5

On 1/05/10 7:10 PM, "Server Administrator" <server53admn at>

> I tried OARC's DNS Reply Size Test on two of my name servers, both on
> the same network, behind the same firewall & router.
> Both came back and reported "DNS reply size limit is at least 3843"
> (results below).
> Is 3843 close enough to 4096 to keep me safe next Wednesday (May 5th)?
>  If not, do the required remedies need to be applied in named.conf, or
> the router & firewall?  And if the latter, what, specifically, needs
> to be configured?
It really depends on what those remedies are...

First, consider the fact that a low UDP response will result in a TCP
attempt occasionally (when the response is greater that your effective
limit). So you should ensure that you can resolve queries using TCP. On
occasions when TCP is not possible, it is regularly caused by
network devices. So check firewalls and routers for filters that do not
allow DNS over TCP.

Also check for devices that inspect DNS queries. They can have some out
date assumptions regarding sizes.

Second, make sure the tested effective size appears in your named.conf
the options statement "edns-udp-size" on your resolver.

In your case:
 edns-udp-size 3843;

Finally, note that UDP is preferable for DNS so ensuring the largest
possible size will reduce the occurrence of TCP. Take a look at your
firewall settings for connection timeouts and consider what would happen
all the short lived DNS UDP connections were suddenly replaced by longer
lived TCP connections.

> Other than OARC's page are there any sites that describe everything
> that needs to be done and checked to make sure we're good to go on
> 5/5?

It appears you are good to go.

Kal Feher 

bind-users mailing list
bind-users at
Proud partner. Susan G. Komen for the Cure.
Please consider our environment before printing this e-mail or attachments.
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you.

More information about the bind-users mailing list