[dnssec-deployment] some observations about .SE's DNSSEC
richard.lamb
richard.lamb at icann.org
Tue Sep 25 18:45:32 EDT 2007
Yep. I saw this when I started my work here after putting validating DNSSEC
resolvers all over the place, usually behind cheap BB routers in peoples
homes. Being in business taught me that the customer is always right, so I
wanted to see what the customer saw - not what a guy with a T1 into their
house saw. Almost always failed. I sent a note to Andrews about this but I
think its correct behavior on BIND's part. Between now and when DNSSEC
makes it into Windows should be enough time for router vendors (saw it on
mostly on DSL/Westel combo) clean up their act.
I remember a sequence something like:
Request big bunch of DNSKEYS (udp) ->
X(lost) <- Big udp packet
...timeout
Request big bunch of DNSKEYS (udp) ->
<- 512 byte truncated packet (udp)
...truncated..fail
Then sometimes...
Request big bunch of DNSKEYS (TCP) ->
<- Big TCP packet
Request more information to complete validation ->
..works
-----Original Message-----
From: DNSSEC deployment [mailto:dnssec-deployment at shinkuro.com] On Behalf Of
Paul Vixie
Sent: Tuesday, September 25, 2007 3:02 PM
To: DNSSEC deployment
Cc: Jakob Schlyter
Subject: [dnssec-deployment] some observations about .SE's DNSSEC
jakob has given me permission to share this information with you, and would
welcome any questions or discussion we might have:
--------
From: Jakob Schlyter <jakob at rfc.se>
Subject: Re: AD set unrequested
Date: Tue, 25 Sep 2007 17:28:26 +0200
To: xxx
on more thing...
as you may have noted, DNSSEC in .SE is in full production at least two
large ISP:s in Sweden are doing DNSSEC validation in their production
systems. it was recently discovered that none of their customers (with
crappy broadband routers, e.g. Netgear) can reach signed domains. ouch.
jakob
--------
#############################################################
This message is sent to you because you are subscribed to
the mailing list <dnssec-deployment at shinkuro.com>.
To unsubscribe, E-mail to: <dnssec-deployment-off at shinkuro.com>
A public archive is available here:
<http://mail.shinkuro.com:8100/Lists/dnssec-deployment/>
and older material is at
<http://mail.shinkuro.com:8100/Lists/dnssec-deployment-archive/>
More information about the Dnssec-deployment
mailing list