Merit Network
 Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives
North American Network Operators Group
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: in-addr.arpa server problems for europe?

  • From: Steven Bellovin
  • Date: Mon Feb 15 13:11:57 2010 
On Feb 15, 2010, at 1:01 PM, Seth Mattinen wrote:

> On 2/15/10 9:21 AM, Tony Finch wrote:
>> On Mon, 15 Feb 2010, Mark Scholten wrote:
>>> 
>>> I've seen problems that are only there because of DNSSEC, so if there is a
>>> problem starting with trying to disable DNSSEC could be a good idea. As long
>>> as not all rootzones are signed I don't see a good reason to use DNSSEC at
>>> the moment.
>> 
>> You realise that two of them are signed now and the rest will be signed by
>> 1st July?
>> 
> 
> 
> Which means now is a good time to find and fix brokenness, not hope that
> DNSSEC will go away.

Right.

Apart from implementations that just can't handle funky RR types in the response -- firewalls, perhaps?  see RFC 2979, especially the transparency rule -- a lot of the trouble is caused by the reply size.  The code should either use EDNS0 or fall back to TCP -- and lots of folks have broken firewall configs that don't allow TCP 53, even though it's been in the spec since 1984 or thereabouts.

		--Steve Bellovin, http://www.cs.columbia.edu/~smb


Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.