[122489] in North American Network Operators' Group
Re: in-addr.arpa server problems for europe?
daemon@ATHENA.MIT.EDU (Steven Bellovin)
Mon Feb 15 13:11:53 2010
From: Steven Bellovin <smb@cs.columbia.edu>
In-Reply-To: <4B798BEE.6010206@rollernet.us>
Date: Mon, 15 Feb 2010 13:10:21 -0500
To: Seth Mattinen <sethm@rollernet.us>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Feb 15, 2010, at 1:01 PM, Seth Mattinen wrote:
> On 2/15/10 9:21 AM, Tony Finch wrote:
>> On Mon, 15 Feb 2010, Mark Scholten wrote:
>>>=20
>>> I've seen problems that are only there because of DNSSEC, so if =
there is a
>>> problem starting with trying to disable DNSSEC could be a good idea. =
As long
>>> as not all rootzones are signed I don't see a good reason to use =
DNSSEC at
>>> the moment.
>>=20
>> You realise that two of them are signed now and the rest will be =
signed by
>> 1st July?
>>=20
>=20
>=20
> Which means now is a good time to find and fix brokenness, not hope =
that
> DNSSEC will go away.
Right.
Apart from implementations that just can't handle funky RR types in the =
response -- firewalls, perhaps? see RFC 2979, especially the =
transparency rule -- a lot of the trouble is caused by the reply size. =
The code should either use EDNS0 or fall back to TCP -- and lots of =
folks have broken firewall configs that don't allow TCP 53, even though =
it's been in the spec since 1984 or thereabouts.
--Steve Bellovin, http://www.cs.columbia.edu/~smb
