* Posts by marka63

2 publicly visible posts • joined 15 Apr 2010

Will DNSSEC kill your internet?

marka63
FAIL

Perhaps you should read the RFC's before you post.

DO *only* indicates that you UNDERSTAND DNSSEC records.

DO does NOT, and never has, indicated that you intend to validate the response.

B.T.W. it is not DO but EDNS that permits larger than 512 byte responses and the root servers have been sending them for years now, look at almost every referral from the root servers for COM and NET lookups. Even with DO *not* set they exceed 512 bytes.

% dig +edns=0 example.com @j.root-servers.net

; <<>> DiG 9.7.0 <<>> +edns=0 example.com @j.root-servers.net

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27983

;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 16

;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags:; udp: 4096

;; QUESTION SECTION:

;example.com. IN A

;; AUTHORITY SECTION:

com. 172800 IN NS B.GTLD-SERVERS.NET.

com. 172800 IN NS H.GTLD-SERVERS.NET.

com. 172800 IN NS G.GTLD-SERVERS.NET.

com. 172800 IN NS C.GTLD-SERVERS.NET.

com. 172800 IN NS E.GTLD-SERVERS.NET.

com. 172800 IN NS L.GTLD-SERVERS.NET.

com. 172800 IN NS F.GTLD-SERVERS.NET.

com. 172800 IN NS K.GTLD-SERVERS.NET.

com. 172800 IN NS A.GTLD-SERVERS.NET.

com. 172800 IN NS J.GTLD-SERVERS.NET.

com. 172800 IN NS D.GTLD-SERVERS.NET.

com. 172800 IN NS I.GTLD-SERVERS.NET.

com. 172800 IN NS M.GTLD-SERVERS.NET.

;; ADDITIONAL SECTION:

A.GTLD-SERVERS.NET. 172800 IN A 192.5.6.30

A.GTLD-SERVERS.NET. 172800 IN AAAA 2001:503:a83e::2:30

B.GTLD-SERVERS.NET. 172800 IN A 192.33.14.30

B.GTLD-SERVERS.NET. 172800 IN AAAA 2001:503:231d::2:30

C.GTLD-SERVERS.NET. 172800 IN A 192.26.92.30

D.GTLD-SERVERS.NET. 172800 IN A 192.31.80.30

E.GTLD-SERVERS.NET. 172800 IN A 192.12.94.30

F.GTLD-SERVERS.NET. 172800 IN A 192.35.51.30

G.GTLD-SERVERS.NET. 172800 IN A 192.42.93.30

H.GTLD-SERVERS.NET. 172800 IN A 192.54.112.30

I.GTLD-SERVERS.NET. 172800 IN A 192.43.172.30

J.GTLD-SERVERS.NET. 172800 IN A 192.48.79.30

K.GTLD-SERVERS.NET. 172800 IN A 192.52.178.30

L.GTLD-SERVERS.NET. 172800 IN A 192.41.162.30

M.GTLD-SERVERS.NET. 172800 IN A 192.55.83.30

;; Query time: 178 msec

;; SERVER: 2001:503:c27::2:30#53(2001:503:c27::2:30)

;; WHEN: Thu Apr 15 14:11:43 2010

;; MSG SIZE rcvd: 528

%

DO does increase the size further still but not by much (713 vs 528 bytes for this example query).

% dig +dnssec example.com @a.root-servers.net

; <<>> DiG 9.7.0 <<>> +dnssec example.com @a.root-servers.net

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40553

;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 15, ADDITIONAL: 16

;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags: do; udp: 4096

;; QUESTION SECTION:

;example.com. IN A

;; AUTHORITY SECTION:

com. 172800 IN NS d.gtld-servers.net.

com. 172800 IN NS e.gtld-servers.net.

com. 172800 IN NS g.gtld-servers.net.

com. 172800 IN NS h.gtld-servers.net.

com. 172800 IN NS i.gtld-servers.net.

com. 172800 IN NS m.gtld-servers.net.

com. 172800 IN NS a.gtld-servers.net.

com. 172800 IN NS j.gtld-servers.net.

com. 172800 IN NS b.gtld-servers.net.

com. 172800 IN NS l.gtld-servers.net.

com. 172800 IN NS k.gtld-servers.net.

com. 172800 IN NS f.gtld-servers.net.

com. 172800 IN NS c.gtld-servers.net.

com. 86400 IN NSEC coop. NS RRSIG NSEC

com. 86400 IN RRSIG NSEC 8 1 86400 20100422000000 20100414230000 55138 . s1ldDSeyP6mrfQCiDqy+cRpQMQOgohAmvycezbHIAgsgu61Z/O4qMEQJ m5HxFEtWrGU1b9C/Y26y3kJslMOzvP1jtvBt78bJnBEz+sN9eFYxeKG7 KQ+Daq56+M3kpH2pldqI1nn5QpNl0fzMUOdkq8xOnmABDpdM+aAcdB2f nGg=

;; ADDITIONAL SECTION:

a.gtld-servers.net. 172800 IN A 192.5.6.30

a.gtld-servers.net. 172800 IN AAAA 2001:503:a83e::2:30

b.gtld-servers.net. 172800 IN A 192.33.14.30

b.gtld-servers.net. 172800 IN AAAA 2001:503:231d::2:30

c.gtld-servers.net. 172800 IN A 192.26.92.30

d.gtld-servers.net. 172800 IN A 192.31.80.30

e.gtld-servers.net. 172800 IN A 192.12.94.30

f.gtld-servers.net. 172800 IN A 192.35.51.30

g.gtld-servers.net. 172800 IN A 192.42.93.30

h.gtld-servers.net. 172800 IN A 192.54.112.30

i.gtld-servers.net. 172800 IN A 192.43.172.30

j.gtld-servers.net. 172800 IN A 192.48.79.30

k.gtld-servers.net. 172800 IN A 192.52.178.30

l.gtld-servers.net. 172800 IN A 192.41.162.30

m.gtld-servers.net. 172800 IN A 192.55.83.30

;; Query time: 179 msec

;; SERVER: 2001:503:ba3e::2:30#53(2001:503:ba3e::2:30)

;; WHEN: Thu Apr 15 14:15:04 2010

;; MSG SIZE rcvd: 713

%

Even NXDOMAIN responses are not that large. However if you have a firewall that blocks

UDP responses bigger than 512 bytes but permits EDNS and DO and also blocks out bound

TCP lookups then the NXDOMAIN response won't get through.

% dig +dnssec example.wy @a.root-servers.net

; <<>> DiG 9.7.0 <<>> +dnssec example.wy @a.root-servers.net

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 20276

;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1

;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags: do; udp: 4096

;; QUESTION SECTION:

;example.wy. IN A

;; AUTHORITY SECTION:

. 86400 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2010041401 1800 900 604800 86400

. 86400 IN RRSIG SOA 8 0 86400 20100422000000 20100414230000 55138 . FfgJf7vv3i4f63s0B+joYLeCf0/HyMfJrPx2Z0ziwe5N5Wec6AJ2EQ6Q tzvbNYq+bAVsl+vABooW6f+JiXDiLh9EO3uOIieyYXX7UFW8liDKcCXx fyaQkXXjcRmBo89AZxeBjW8FIKg5BEqLafugrvihl1uBhyD7o0lk/Fbw G8A=

. 86400 IN NSEC ac. NS SOA RRSIG NSEC DNSKEY

. 86400 IN RRSIG NSEC 8 0 86400 20100422000000 20100414230000 55138 . Xq36MvWZCGpC1tv2IX/PdoJrGe4Kn2W2g3mVyG1+D1UTWHU0wPf0BKIH 68dHAS5QbcQ/27PoVPG9L7RzVf2aTasxl9B7OTy3mWbph8Qv0nIPXsvf jvdps0m/GHxlDnVEn+k3KD6thX4dc6D8pIN7t7lBQXq1BDnGJMavUfPf OPI=

ws. 86400 IN NSEC xn--0zwm56d. NS RRSIG NSEC

ws. 86400 IN RRSIG NSEC 8 1 86400 20100422000000 20100414230000 55138 . iXxgGMRrrOl19l5Mftm3MwtatCdvYgqcKy5JNRerYVLe4A/gsI+y2xSk Zj7cS7up9TT1ltoC5EfRKPF3nxFWXMZ/bXkQzzwWVU0JR9NuFI+q76pE JatWYlbQsbyKBxLO+KYsXEwn09pAOyPHwMZhqFfe0FX31Ni7J1leMoiA e+o=

;; Query time: 183 msec

;; SERVER: 2001:503:ba3e::2:30#53(2001:503:ba3e::2:30)

;; WHEN: Thu Apr 15 14:18:51 2010

;; MSG SIZE rcvd: 648

%

marka63
FAIL

No Fragmentation Myth at 512 Bytes.

The 512 byte limit was so that reassembly would work. 512 byte UDP/IPv4 packets can be fragmented.