[dnssec-deployment] DNSSEC deployment hurdles
bert.hubert at netherlabs.nl
Mon Aug 31 02:06:35 EDT 2009
On Mon, Aug 31, 2009 at 12:38 AM, Paul Wouters<paul at xelerance.com> wrote:
>> It turns out that BIND, which is reputed to use 'do=1' queries, and
>> should thus expose these problems, actually drops EDNS (and with it
>> the do bit) on timeouts.
> I hope it is more subtle then that, because else bind would be vulnerable
> to a very easy bid-down attack from dnssec to non-dnssec.
Indeed - the measurements I did were for 'the default out of the box
BIND', as shipped by Ubuntu 9.04.
If one configures a trust anchor for that version ('9.5.1.dfsg.P2'),
the behaviour is entirely different, with that version not even
falling back to TCP for secured domains in case of large packets
failing to arrive (!).
Investigating this further to see if this issue is present in current
versions of BIND. The effect of this is that in my testing setup,
which blocks fragments, BIND 9.5.1 as modified by Ubuntu, is unable to
do any DNSSEC validation at all (since it never is able to retrieve
The reason I care is that deployers will typically "see" DNSSEC
through the glasses of their favorite resolver (BIND), and it appears
that at least in this version, no fragments means no DNSSEC. And that
means a 8-13% failure rate.
But I might be wrong, or newer versions may have fixed this behaviour.
So take it with a grain of salt.
More information about the Dnssec-deployment