nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: in-addr.arpa server problems for europe?

From: Steven Bellovin <smb () cs columbia edu>
Date: Mon, 15 Feb 2010 13:10:21 -0500

On Feb 15, 2010, at 1:01 PM, Seth Mattinen wrote:


On 2/15/10 9:21 AM, Tony Finch wrote:

On Mon, 15 Feb 2010, Mark Scholten wrote:


I've seen problems that are only there because of DNSSEC, so if there is a
problem starting with trying to disable DNSSEC could be a good idea. As long
as not all rootzones are signed I don't see a good reason to use DNSSEC at
the moment.


You realise that two of them are signed now and the rest will be signed by
1st July?




Which means now is a good time to find and fix brokenness, not hope that
DNSSEC will go away.


Right.

Apart from implementations that just can't handle funky RR types in the response -- firewalls, perhaps?  see RFC 2979, 
especially the transparency rule -- a lot of the trouble is caused by the reply size.  The code should either use EDNS0 
or fall back to TCP -- and lots of folks have broken firewall configs that don't allow TCP 53, even though it's been in 
the spec since 1984 or thereabouts.

                --Steve Bellovin, http://www.cs.columbia.edu/~smb
Previous By Date Next
Previous By Thread Next

Current thread: