[dnssec-deployment] DNSSEC in Russia

Mark Andrews Mark_Andrews at isc.org
Thu Apr 2 22:01:14 EDT 2009 

In message <list-17545806 at execdsl.com>, Lutz Donnerhacke writes:
> * Mark Andrews wrote:
> > DNSSEC works through routers that drop all fragements with
> > no configuration tuning.
> > DNSSEC works through routers that drop UDP responses greater
> > that 512 octets no configuration tuning.
> 
> I personally was not that lucky. I does see timeouts in those cases.
> Tuning the resolver to EDNS0 buffer size of 1500/512 bytes helps.

	Try BIND 9.6.1b1.  It has:

2564.   [bug]           Only take EDNS fallback steps when processing timeouts.
                        [RT #19405]

	The other branches will follow was part of their maintenance
	schedules.

	I've removed the "edns-udp-size 1460;" option from named.conf
	and I sit behind a NAT that doesn't handle out of order
	fragments so I'm living with a less than perfect connection
	and really don't notice it.

	All the nameservers I use validate responses so this is not
	a academic issue for me.

	From my point of perspective there is a lot of work happening
	these days by DNS vendors to make DNSSEC both easier to use
	and reliable.  I also see the changes being passed on by
	OS vendors.

	Mark
 
> > The only case it won't work through is a router that blocks
> > EDNS + DO responses which is the minimum required to support
> > DNSSEC.
> 
> Of course. It even does not work if the equipment in the path filters out
> DNSSEC related records (like some well known open resolvers).
> 
> #############################################################
> This message is sent to you because you are subscribed to
>   the mailing list <dnssec-deployment at shinkuro.com>.
> To unsubscribe, E-mail to: <dnssec-deployment-off at shinkuro.com>
> A public archive is available here: <http://mail.shinkuro.com:8100/Lists/dnss
> ec-deployment/>
> and older material is at
> <http://mail.shinkuro.com:8100/Lists/dnssec-deployment-archive/>
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the Dnssec-deployment mailing list