Topic: DNSSEC From 5 May 2010

[StuC]

I was wondering what impact if any DNSSEC would have on SME server boxes and clients behind (or just using for DNS).
My understanding is sketchy and searching didn't seem to bring up anything.
Using the Java test from Ripe I get "Your resolver was only able to get packets SMALLER than 512 bytes" result so I assume that means using a SME 7.4 box as local DNS will currently not support DNSSEC replies but I'm not really sure if that is a problem on a local network or how the traffic further up the chain is authenticated.

I'm also a bit surprised how little chatter there is on this impending change...

www.theregister.co.uk/2010/04/13/dnssec/

[CharlieBrady]

http://cr.yp.to/djbdns/notes.html

My interpretation of this is that dnscache will receive a < 512 byte UDP reply with the TC bit set, which indicates that the response has been truncated. It will then perform a TCP query, which will handle the larger response.

There's a simple patch available for dnscache to have it accept oversize responses:

http://marc.info/?l=djbdns&m=122368590802063&w=2

However, it looks to me that servers should never send > 512 byte UDP responses, unless the client indicated via EDNS0 options that it was prepared to receive such a response. See:

http://tools.ietf.org/rfc/rfc2671.txt

[CharlieBrady]

For a simpler answer, dnscache (used in SME server) does not send DNSSEC enabled queries, and does not need to be able to handle responses to such queries.

Dan Berstein, the author of the very excellent dnscache and tinydns programs, has for a long time been a very vocal critic of DNSSEC. See, for instance:

http://cr.yp.to/djbdns/forgery.html
http://cr.yp.to/djbdns/forgery-cost.txt
http://www.google.ca/search?q=DNSSEC+djb+cr.yp.to

[StuC]

Thanks Charlie, will go through those looks like it been on going for while (blast posted this by mistake -where is the delete button....)
I assumed that a Linux based server (and gateway) will be better placed to survive the change than most but many SMEs are behind routers of various makes and firmware tha to do not recognise or handle the flags properly, I think despite the origins in the mists of time DNSSEC has fallen off the radar of a few router brands.
One reason for my post is to lay some search crumbs for others come May.

I saw the router tests posted on the Nominet site, few if any well known brands were set-up to fully support it on original firmware so if you are using SME behind a router
DNSSEC problems "could" be limited by updating router firmware prior to May 2010
(on the assumption that its better to do it when you can than when people are screaming "farcebook is down!!!").

>>CORRECTION after reading the previous post if SME does not use or need DNSSEC traffic then it wont be an issue but may still affect other networks who just have SME on the network but not handling DNS.

Will be interesting to see what new exploits come about by allowing greater UDP packet size, I give it a couple of weeks into May

[StuC]

Sorry managed to hit some stupid extra button on this cheap keyboard while composing a reply.
Will have a proper look at the links now, thanks for pointing me in the right direction, the router tests had got me a bit spooked.

[styx]

What do you think about this?
https://www.dns-oarc.net/oarc/services/replysizetest

Code: [Select]

root@smebox:~ # dig +short rs.dns-oarc.net txt
rst.x476.rs.dns-oarc.net.
rst.x485.x476.rs.dns-oarc.net.
rst.x490.x485.x476.rs.dns-oarc.net.
"x.x.x.x DNS reply size limit is at least 490"
"x.x.x.x lacks EDNS, defaults to 512"
"Tested at 2010-05-03 12:43:52 UTC"
SME 7.2 and upgraded this:

Code: [Select]

djbdns.i386                              1.05-8.el4.sme         installed
e-smith-tinydns.noarch                   2.0.0-1.el4.sme        installed
e-smith-dnscache.noarch                  2.0.0-1.el4.sme        installed

[CharlieBrady]

What do you think about this?

I've already provided a complete and concise reply in this thread:

http://forums.contribs.org/index.php/topic,45831.msg223613.html#msg223613

[Stefano]

SME 7.2 and upgraded this:

Code: [Select]

djbdns.i386                              1.05-8.el4.sme         installed
e-smith-tinydns.noarch                   2.0.0-1.el4.sme        installed
e-smith-dnscache.noarch                  2.0.0-1.el4.sme        installed

I think that if you are running a SME 7.2 you should upgrade asap

[cactus]

I think that if you are running a SME 7.2 you should upgrade asap

But that will not change the result of the test AFAICT as my current 7.4 returns the same. I still have to study Charlie's links to see what that might mean. My guess is he might be right, due to the low amount of buzz on this around on the internet.

[Stefano]

But that will not change the result of the test AFAICT as my current 7.4 returns the same.

indeed.. mine was only a strong advice to styx

[styx]

indeed.. mine was only a strong advice to styx

It's a well working production server mixed with php5 and mysql5.x, I'm gonna upgrade/reinstall when 8.0 comes out.
Thanks the advice ;)
I'm investigating this situation and building FO plans.
Thanks.

[Stefano]

It's a well working production server mixed with php5 and mysql5.x, I'm gonna upgrade/reinstall when 8.0 comes out.
Thanks the advice
I'm investigating this situation and building FO plans.
Thanks.

I hope you are not using email/AV features

[styx]

I hope you are not using email/AV features

File scanning only, I manually update the engine periodically.

[purvis]

i am writing this with an iphone, sorry about the poor writing.

I had problems with dnssec.
Because i am experiencing various problems concerning internet access and communication.
I never understood DNS until recently. I just did not get it before and wished not to bother with it
Until we started having dsl problems with AT&T.
We are having router issues also.
At one location, bc the problems are of a multiple state. It is hard to identify what is not working correctly and causing what problem. AT&T must be a lot of the problems. They where diwn for 5 days and something smells awefull fishy.

But to solve a few problems. Here is what i did.
I had to change the setting inside a netgear router to tell it not stop a internet attack of various sorts.
At another location, still wth att dsl service, i have a sme server operating in server mode.  It could not update.
So yesterday i went to the sever and ran the suggested dig test.
It reported back the 512 as an above post showed
Because i had the server to point to the router by leaving a field blank or typing in my router's ip address on the correct screen this 512 is what i got.
To increase the size from 512 to 4096, what i did was put my dsl
service's dns ip address in place of the blank or routers ip address.

Now my sme server is updating properly by now getting the dns lookups.
I have now learned my lesson and on all equipment to never to use the router's ip address for dns.

I do have a question on entering mutiple dns ip addresses.

Do i just place all my dns ipaddresses separated by a comma?

If enough people find this solving their problems and can do a better job of explaining this stuff. Please put up a articale in wiki.

[CharlieBrady]

I had problems with dnssec.

Do not hijack this old thread. If you have a problem withe SME server software, open a report in the bug tracker.