[dns-wg] Announcement: Test Report on DNSSEC impact on SOHO CPE

Paul Wouters paul at xelerance.com
Tue Sep 16 13:21:51 EDT 2008

On Mon, 15 Sep 2008, Ray.Bellis at nominet.org.uk wrote:

> In summary (based on 24 tested units):
> "... we conclude that just 6 units (25%) operate with full DNSSEC
> compatibility "out of the box."  9 units (37%) can be reconfigured to
> bypass DNS proxy incompatibilities.  Unfortunately, the rest (38%) lack
> reconfigurable DHCP DNS parameters, making it harder for LAN clients to
> bypass their interference with DNSSEC use.

Wow. So nothing much changed in almost a year, when this issue was first
found by .SE. I was hoping that modern DSL/wifi routers which supports
802.11n would have had fixed their firmware by now.

> These findings, their potential impact on DNSSEC use by broadband
> consumers, and implications for router/firewall manufacturers, are
> presented and analyzed in this report. "

The report is excellent. Thank you very much for sharing it with us.

I have two questions.

1) Vendor actions

    What are the vendor status and/or responses? Were they contacted? did they
    respond? Are they planning updates?

2) base OS?

    Is there a similarity in these firmwares? eg are they using the same
    DNS software inside? Perhaps the vendors are not the people we should
    be talking to? For instance, many Linux based routers use the "dnsmasq"
    software. Depending on its status, it might be worth contacting the
    upstream software provider of the commercial router vendors.


More information about the Dnssec-deployment mailing list