Preparing for upcoming DNSSEC changes on 5/5

Lightner, Jeff jlightner at water.com
Mon May 3 17:34:28 UTC 2010 

I hadn't done any tests because as noted below I was unaware there was
any testing needed.   I was responding in thread that seemed relevant.

Someone replied off list suggesting I do
dig @b.root-severs.net com +dnssec +notcp 

then

dig @b.root-servers.net com +dnssec +tcp.

The latter responded correctly and the former said no servers could be
reached.   Doing it without either +notcp or +tcp responded correctly so
I'm assuming it tried udp then tcp as normal?

The network admin modified the core switch and others to allow for
larger UDP responses and since he's done that it appears the +notcp
option gives the right response to the dig (same as the +tcp).  I
assuming that means my DNS server is reading the larger udp response? 

There is no EDNS entry in my named.conf.  Do I need one, given that
above worked?

The article (apparently he got it from our common manager) is one I've
not seen but I'm assuming it was The Register article or something
referring to it.   Most of my reading since I sent the email suggests as
you did that I don't need to do anything and that the original article
was written in an overly alarmist fashion.

Is there other testing I need to do?


-----Original Message-----
From: bind-users-bounces+jlightner=water.com at lists.isc.org
[mailto:bind-users-bounces+jlightner=water.com at lists.isc.org] On Behalf
Of Alan Clegg
Sent: Monday, May 03, 2010 12:23 PM
To: bind-users at lists.isc.org
Subject: Re: Preparing for upcoming DNSSEC changes on 5/5

On 5/3/2010 4:36 PM, Lightner, Jeff wrote:

> It sounds as if he read an article saying we have to implement DNSSEC
on
> our DNS servers or we'll quit working on 5/5?  Is that the case?
> 
> Also what is the drop dead date/time if so?  5/5 Midnight UTC?  Some
> other time?

You don't need to do anything more than be sure that you have a clean
network path.  There is nothing "to do" by 5/5 as long as the tests that
you say worked actually did work.

If you have additional information on "the article" that he read
implying that more needs to be done, please provide a link.

Thanks,
AlanC
 
Proud partner. Susan G. Komen for the Cure.
 
Please consider our environment before printing this e-mail or attachments.
----------------------------------
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you.
----------------------------------

More information about the bind-users mailing list