On Apr 14 2010, Bill Perry wrote:

>Being someone in a smallish 6th Form College I have been monitoring
>this list for a while but didn't see anything that I thought would
>affect us in the short term, until I saw this article today
>http://www.theregister.co.uk/2010/04/13/dnssec/

There is a certain flavour of FUD there: "Internet users face the risk
of losing their internet connections on 5 May when the domain name
system switches over to a new, more secure protocol."

What actually happens on 5 May (if the current schedule is followed,
see http://www.root-dnssec.org/ for details) is that the last root
nameservers will convert to using DURZ. That means that *if* you
send them DNS queries with the DO bit set ("DNSSEC OK" = "include
signatures on your reply if you have them") *then* you will get
reply packets bigger than 512 bytes, which may not get through to
you *if* you have defective software or hardware in the way.

But there are already other authoritative nameservers around that
do that. For example, responses from Nominet's nameservers for "uk"
that give a referral to "ac.uk", in response to a query with DO=1,
are already over 670 bytes because they include the signatures
proving that there is no signed delegation for "ac.uk".

Still, it's always a good idea to check that you can receive large
DNS responses - I'll remind everyone of

  https://www.dns-oarc.net/oarc/services/replysizetest

that Tony Finch mentioned on this list some time ago.

>Further to Chris's request for an update on the status of DNSSEC
>within JANET connected sites and specifically how this could affect
>FE Colleges. Is there any advice on what we have to do specifically
>if you use Windows servers and DNS resolvers.
>
>I have run the Java test detailed within the article and we are
>not DNSSEC enabled at present.

BIND acting as a recursive nameserver sends queries with DO=1 if
the "dnssec-enable yes" option is set, which has been the default
for many releases now. I'm afraid I don't know if/when Microsoft
DNS Server does that, when performing the same function.

Of course, I would like to hear (anything, really) from JANET
about their plans ...

-- 
Chris Thompson               University of Cambridge Computing Service,
Email: [log in to unmask]    New Museums Site, Cambridge CB2 3QH,
Phone: +44 1223 334715       United Kingdom.