DNSSEC May Cause Problems On May 5

An anonymous reader notes the coming milestone of May 5, at 17:00 UTC — at this time DNSSEC will be rolled out across all 13 root servers. Some Internet users, especially those inside corporations and behind smaller ISPs, may experience intermittent problems. The reason is that some older networking equipment is preconfigured to block any reply to a DNS request that exceeds 512 bytes in size. DNSSEC replies are typically four times as large. "DNSSEC is in fact already rolled out across most of the world's 13 root servers. ... But to date ... it would only have resulted in a slight lag in the loading of a web page for those with outdated network equipment. The beauty of DNS is that should a request made to one root server not receive a response, the DNS resolver on a user's machine simply makes the same request along the line of the 13 root servers until it gets a satisfactory response. But on May 5, once all 13 root servers are live with the DNSSEC signatures, responses from all 13 root servers won't make it back inside the corporate LAN on some older systems. ... The problem may take several days to surface and be inconsistent from one user's PC to the next. A user at one machine who hasn't switched on his PC for two or three days will have no access to the Internet. A user who left his machine on the night before will have some pages — and responses from DNS servers — cached on his machine, and will still have connectivity." The article links a test site you can use ahead of time to check for any problems.

So what do I do?

[OzPeter]

I ran the command on the test page and the results are

>>dig +short rs.dns-oarc.net txt
rst.x476.rs.dns-oarc.net.
rst.x485.x476.rs.dns-oarc.net.
rst.x490.x485.x476.rs.dns-oarc.net.
"68.87.73.244 DNS reply size limit is at least 490"
"68.87.73.244 lacks EDNS, defaults to 512"
"Tested at 2010-04-30 13:42:26 UTC"

According to the test page this seems to mean that Comcast doesn't support EDSL (at the moment). So the big question is:
What can I do - aside from praying that Comcast will get their shit together by next week?

Upgrade or die

[K2tech]

This should force any and all companies or ISPs to upgrade (read MAINTAIN) their systems. Too many organizations install systems and them let them rot expecting them to run forever without so much as a thought or care for maintenance. This problem extends to the point that some companies have a system so long and have no documentation on it, that when there is a problem, they have NO knowledge of the system. I'm glad we are finally implementing some form of security DNS. Let this expose the any problems or issues smaller companies/ISPs have. It will force them to actually do something about it. Hopefully that in turn will make them look at other systems/processes within their organization.

Re:So what do I do?

[Anonymous Coward]

Can I get those instructions in windows?

No seriously!

Odd results?

[Aladrin]

At work, using my ISP's DNS, I'm getting a timeout.

At home, using Google's DNS, I'm getting a blank string back.

Those 2 aren't even covered by the linked page. Any idea what they mean?

What does DNSSEC mean for ISPs that mess wtih DNS?

[jonwil]

Does DNSSEC mean that an ISP with a caching DNS server that returns an IP address other than the correct IP address cant do it anymore (i.e. clients that support DNSSEC will respond with an error)?
Does DNSSEC do anything about NXDOMAIN fiddling? (are there any proposals out there that would allow users to get around ISPs that point NXDOMAIN at ad-laden ISP search pages or is using a non-ISP caching DNS server the only option here?)

Re:What does DNSSEC mean for ISPs that mess wtih D

[phantomcircuit]

DNS clients that request Authenticated Data will be able to detect that the response is not authentic. So it depends on how the DNS client handles that situation.

Possibly the ISP could fake there being no DNS servers supporting DNSSEC available and convince the client to accept the un-signed version. I suspect that turning on DNSSEC on all the root servers is specifically designed to stop this though.