DNSSEC - Root zone - FUD

Kalman Feher kalman.feher at melbourneit.com.au
Mon May 3 20:54:05 UTC 2010

On 3/05/10 10:25 PM, "Ray Van Dolson" <rvandolson at esri.com> wrote:

> David, I think you're exactly right.  Lots of FUD, but, if I understand
> correctly, BIND does by default does send out EDNS0 signalling by
> default... 
EDNS0 does not imply DNSSEC. So you can get large responses back for lots of
non DNSSEC queries. Having it enabled does not in anyway increase any risk
on the 5/5.

If you do not ask, you will not receive.

So if today you do not have DNSSEC enabled; dnssec-enable and
dnssec-validation (more recent BIND revisions), you will not receive the
signed response, EDNS0 enabled or not.

So these are your required checks:

Do I have DNSSEC enabled?
Yes - check your network as already discussed.
No - Have a coffee, relax and consider enabling it by July, at least to

> so it's still prudent to check your own firewall setups to
> ensure you can handle the larger packet sizes.
Yes, this will be useful in the future. But not required this week.

> Worst case you see
> delays if they do not.

Kal Feher 

More information about the bind-users mailing list