Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: DNSSEC...not a bang but a whimper? SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
DNSSEC...not a bang but a whimper?

Tonight is the night that DNSSEC is enabled between the DNS root servers. I am not going to go into detail since the good people at the other ISC have already done a wonderful job of that in their posting.

Lots of the usual hype in the usual places including The Register, slashdot, etc.  The fact is that this really only affects the way your ISPs talk DNS to the root servers. I suspect most users are using their ISPs DNS servers which will continue to talk to their customers the old way.  It may cause problems for some users who are hosting their own DNS servers behind antiquated firewalls, but for the most part this will be a non-event.

What I find interesting is that using the resolver test at RIPE, my OpenDNS provided resolvers fail.  

Hopefully that will be fixed before the big event.


-- Rick Wanner - rwanner at isc dot sans dot org


324 Posts
ISC Handler
May 4th 2010
The test tools provided by RIPE etc imply that there will be problems if your DNS server doesn't support EDNS. I think this is the source of all the fear about DNS dying. OpenDNS have published a statement about this also. I feel ripe etc have misled people in regards to this as lack of EDNS actually just means you wont use DNSSEC and will continue to use standard DNS.

Windows 2003 SP2

Added HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters
EDNSCacheTimeout DWORD 3600
EnableEDNSProbes DWORD 1

(As suggested by Help > Modify EDNS0 configuration)

After doing so (and restarting the DNS service), the test program failed:

I was unable to run the test because of an internal software error. This could be caused by restrictions of the Java virtual machine on your system.

The test did NOT fail prior to these changes.

The registry change was reverted (deleted the two new DWORDs) and the "Your resolver was only able to get packets SMALLER than 512 bytes." message was again received by the test program.

1 Posts
Exception, as far as I understand with this test you need to run it through a Windows Server. I do not currently have a server so the tests run fine except that there is no DNSSEC and no ESDN.

13 Posts

Sign Up for Free or Log In to start participating in the conversation!