Topic: DNSSEC From 5 May 2010

[StuC]

I was wondering what impact if any DNSSEC would have on SME server boxes and clients behind (or just using for DNS).
My understanding is sketchy and searching didn't seem to bring up anything.
Using the Java test from Ripe I get "Your resolver was only able to get packets SMALLER than 512 bytes" result so I assume that means using a SME 7.4 box as local DNS will currently not support DNSSEC replies but I'm not really sure if that is a problem on a local network or how the traffic further up the chain is authenticated.

I'm also a bit surprised how little chatter there is on this impending change...

www.theregister.co.uk/2010/04/13/dnssec/

[CharlieBrady]

http://cr.yp.to/djbdns/notes.html

My interpretation of this is that dnscache will receive a < 512 byte UDP reply with the TC bit set, which indicates that the response has been truncated. It will then perform a TCP query, which will handle the larger response.

There's a simple patch available for dnscache to have it accept oversize responses:

http://marc.info/?l=djbdns&m=122368590802063&w=2

However, it looks to me that servers should never send > 512 byte UDP responses, unless the client indicated via EDNS0 options that it was prepared to receive such a response. See:

http://tools.ietf.org/rfc/rfc2671.txt

[CharlieBrady]

For a simpler answer, dnscache (used in SME server) does not send DNSSEC enabled queries, and does not need to be able to handle responses to such queries.

Dan Berstein, the author of the very excellent dnscache and tinydns programs, has for a long time been a very vocal critic of DNSSEC. See, for instance:

http://cr.yp.to/djbdns/forgery.html
http://cr.yp.to/djbdns/forgery-cost.txt
http://www.google.ca/search?q=DNSSEC+djb+cr.yp.to

[StuC]

Thanks Charlie, will go through those looks like it been on going for while (blast posted this by mistake -where is the delete button....)
I assumed that a Linux based server (and gateway) will be better placed to survive the change than most but many SMEs are behind routers of various makes and firmware tha to do not recognise or handle the flags properly, I think despite the origins in the mists of time DNSSEC has fallen off the radar of a few router brands.
One reason for my post is to lay some search crumbs for others come May.

I saw the router tests posted on the Nominet site, few if any well known brands were set-up to fully support it on original firmware so if you are using SME behind a router
DNSSEC problems "could" be limited by updating router firmware prior to May 2010
(on the assumption that its better to do it when you can than when people are screaming "farcebook is down!!!").

>>CORRECTION after reading the previous post if SME does not use or need DNSSEC traffic then it wont be an issue but may still affect other networks who just have SME on the network but not handling DNS.

Will be interesting to see what new exploits come about by allowing greater UDP packet size, I give it a couple of weeks into May

[StuC]

Sorry managed to hit some stupid extra button on this cheap keyboard while composing a reply.
Will have a proper look at the links now, thanks for pointing me in the right direction, the router tests had got me a bit spooked.

[styx]

What do you think about this?
https://www.dns-oarc.net/oarc/services/replysizetest

Code: [Select]

root@smebox:~ # dig +short rs.dns-oarc.net txt
rst.x476.rs.dns-oarc.net.
rst.x485.x476.rs.dns-oarc.net.
rst.x490.x485.x476.rs.dns-oarc.net.
"x.x.x.x DNS reply size limit is at least 490"
"x.x.x.x lacks EDNS, defaults to 512"
"Tested at 2010-05-03 12:43:52 UTC"
SME 7.2 and upgraded this:

Code: [Select]

djbdns.i386                              1.05-8.el4.sme         installed
e-smith-tinydns.noarch                   2.0.0-1.el4.sme        installed
e-smith-dnscache.noarch                  2.0.0-1.el4.sme        installed

[CharlieBrady]

What do you think about this?

I've already provided a complete and concise reply in this thread:

http://forums.contribs.org/index.php/topic,45831.msg223613.html#msg223613

[Stefano]

SME 7.2 and upgraded this:

Code: [Select]

djbdns.i386                              1.05-8.el4.sme         installed
e-smith-tinydns.noarch                   2.0.0-1.el4.sme        installed
e-smith-dnscache.noarch                  2.0.0-1.el4.sme        installed

I think that if you are running a SME 7.2 you should upgrade asap

[cactus]

I think that if you are running a SME 7.2 you should upgrade asap

But that will not change the result of the test AFAICT as my current 7.4 returns the same. I still have to study Charlie's links to see what that might mean. My guess is he might be right, due to the low amount of buzz on this around on the internet.

[Stefano]

But that will not change the result of the test AFAICT as my current 7.4 returns the same.

indeed.. mine was only a strong advice to styx

[styx]

indeed.. mine was only a strong advice to styx

It's a well working production server mixed with php5 and mysql5.x, I'm gonna upgrade/reinstall when 8.0 comes out.
Thanks the advice ;)
I'm investigating this situation and building FO plans.
Thanks.

[Stefano]

It's a well working production server mixed with php5 and mysql5.x, I'm gonna upgrade/reinstall when 8.0 comes out.
Thanks the advice
I'm investigating this situation and building FO plans.
Thanks.

I hope you are not using email/AV features

[styx]

I hope you are not using email/AV features

File scanning only, I manually update the engine periodically.

[purvis]

i am writing this with an iphone, sorry about the poor writing.

I had problems with dnssec.
Because i am experiencing various problems concerning internet access and communication.
I never understood DNS until recently. I just did not get it before and wished not to bother with it
Until we started having dsl problems with AT&T.
We are having router issues also.
At one location, bc the problems are of a multiple state. It is hard to identify what is not working correctly and causing what problem. AT&T must be a lot of the problems. They where diwn for 5 days and something smells awefull fishy.

But to solve a few problems. Here is what i did.
I had to change the setting inside a netgear router to tell it not stop a internet attack of various sorts.
At another location, still wth att dsl service, i have a sme server operating in server mode.  It could not update.
So yesterday i went to the sever and ran the suggested dig test.
It reported back the 512 as an above post showed
Because i had the server to point to the router by leaving a field blank or typing in my router's ip address on the correct screen this 512 is what i got.
To increase the size from 512 to 4096, what i did was put my dsl
service's dns ip address in place of the blank or routers ip address.

Now my sme server is updating properly by now getting the dns lookups.
I have now learned my lesson and on all equipment to never to use the router's ip address for dns.

I do have a question on entering mutiple dns ip addresses.

Do i just place all my dns ipaddresses separated by a comma?

If enough people find this solving their problems and can do a better job of explaining this stuff. Please put up a articale in wiki.

[CharlieBrady]

I had problems with dnssec.

Do not hijack this old thread. If you have a problem withe SME server software, open a report in the bug tracker.

[purvis]

This seemed to be the appropiate place to post what needed to be said.
The readers needed some background on what had already been posted.

This is no bug as far as i am concerned
it is about altering the setup of sme that may improve the way dns lookups are made by not pointing to the router.
 

[CharlieBrady]

it is about altering the setup of sme that may improve the way dns lookups are made by not pointing to the router.

So don't point to the router. SME server doesn't need to be pointed to anything for dns lookups (and this is true regardless of any DNSSEC chagnes from 5 May 2010).

[purvis]

I am going to do some more testing of my setting today and see what happens.
My machines are all running in server mode.

Charlie, after reviewing some post. I do not understand how your last comment can work.
Do you care to explain.
And because i might want to put in my own dns servers, what would be the format to put in multiple dns servers on the same line during the configuration process of the server.
Thanks.

[janet]

purvis

And because i might want to put in my own dns servers...

I think that is the point Charlie is making. SME server is very capable of doing DNS resolving all on its own, and you do not need to enter any DNS servers.
It has been said many times in these forums, and IIRC it even suggests to leave those fields blank when running the server configuration steps.

Search the forums on DNS for previous answers.

[Dan York]

For the sake of completeness, as I have a personal interest in getting a DNSSEC-aware resolver to work on SME Server, I will update this older thread with a few links links from January 2011 about djb and DNSSEC:

http://vimeo.com/18417770 - video of djb's talk at the 27th CCC ripping into DNSSEC and talking about his own proposed DNSCurve

http://dankaminsky.com/2011/01/05/djb-ccc/ - where Dan Kaminsky goes into great detail refuting many of the points that djb brings up (the comments are useful to read, too)

http://marc.info/?l=djbdns&m=129434351607605&w=2 - where djb refutes one of Dan K's points and dismisses much of that blog post as riddled with errors

http://dankaminsky.com/2011/01/07/cachewars/ - where Dan K responds

The net result of all of that is simply this -> I do not expect that we will ever see a DNSSEC implementation in djb's dnscache.

This is unfortunate as there is now (Jan 2012, a year after all those talks) much greater momentum behind DNSSEC - most of the major TLDs have signed their zones and each week brings news of more ccTLDs signing their zones. Comcast just made a huge announcement here in the US making DNSSEC-aware DNS resolvers available to their ~18 million customers. Many companies are looking into signing their domains.... and the movement continues...

However, djb's opinion of DNSSEC is EXTREMELY clear and for that reason I would not expect changes to dnscache.

For those of us who want DNSSEC, other options for DNS servers that support DNSSEC exist, of course, such as the Unbound name server ( http://unbound.net/ ) but that would involve more modification to SME Server than I personally am interested in undertaking.  So... no DNSSEC for now...

[CharlieBrady]

For the sake of completeness, as I have a personal interest in getting a DNSSEC-aware resolver to work on SME Server, I will update this older thread with a few links links from January 2011 about djb and DNSSEC:

Hi Dan! Thanks for doing this research and posting the summary here.

The net result of all of that is simply this -> I do not expect that we will ever see a DNSSEC implementation in djb's dnscache.

Certainly not by djb himself. dnscache has been placed in the public domain, so in theory somebody else could hack on dnscache and add DNSSEC. Not likely, but possible.

For those of us who want DNSSEC, other options for DNS servers that support DNSSEC exist, of course, such as the Unbound name server ( http://unbound.net/ ) but that would involve more modification to SME Server than I personally am interested in undertaking.  So... no DNSSEC for now...

I agree with you that Unbound looks the best candidate for this.

[chris burnat]

Moving to General Discussions