[dnssec-deployment] DNSSEC deployment hurdles
ol at bofh.priv.at
Mon Aug 31 03:33:39 EDT 2009
bert hubert wrote:
> If one configures a trust anchor for that version ('9.5.1.dfsg.P2'),
> the behaviour is entirely different, with that version not even
> falling back to TCP for secured domains in case of large packets
> failing to arrive (!).
> Investigating this further to see if this issue is present in current
> versions of BIND. The effect of this is that in my testing setup,
> which blocks fragments, BIND 9.5.1 as modified by Ubuntu, is unable to
> do any DNSSEC validation at all (since it never is able to retrieve
> the DNSKEY).
I've no idea if this has been proposed before (or even been implemented):
What about having a DNSSEC-aware resolver query a well-known domain with
predictable answer-sizes on startup and report the results to the user?
This would be similar to what some browsers (firefox, ..) do on startup: if
they can't resolve their home domain, they tell the user that there is
probably something wrong with the Internet connectivity.
-=- Otmar Lendl -- ol at bofh.priv.at -- http://lendl.priv.at/ -=-
More information about the Dnssec-deployment