DNSSEC - Root zone - FUD
kalman.feher at melbourneit.com.au
Mon May 3 20:54:05 UTC 2010
On 3/05/10 10:25 PM, "Ray Van Dolson" <rvandolson at esri.com> wrote:
> David, I think you're exactly right. Lots of FUD, but, if I understand
> correctly, BIND does by default does send out EDNS0 signalling by
EDNS0 does not imply DNSSEC. So you can get large responses back for lots of
non DNSSEC queries. Having it enabled does not in anyway increase any risk
on the 5/5.
If you do not ask, you will not receive.
So if today you do not have DNSSEC enabled; dnssec-enable and
dnssec-validation (more recent BIND revisions), you will not receive the
signed response, EDNS0 enabled or not.
So these are your required checks:
Do I have DNSSEC enabled?
Yes - check your network as already discussed.
No - Have a coffee, relax and consider enabling it by July, at least to
> so it's still prudent to check your own firewall setups to
> ensure you can handle the larger packet sizes.
Yes, this will be useful in the future. But not required this week.
> Worst case you see
> delays if they do not.
More information about the bind-users