Last minute checks for DNSSEC upgrade

Network administrators are being encouraged to run some last minute checks on their DNS servers, routers and firewalls before the final cluster of the internet's root servers are loaded up with the DNSSEC security upgrade tomorrow night.

As reported late last week on iTnews.com.au, from May 5 the DNSSEC upgrade will attach a digital signature to every response from the root servers where the DNS resolver is configured to request signed answers (via setting the DO bit in the Extensions to DNS - EDNS settings) to requests for an internet page, in order to provide an additional layer of assurance for internet users that they are connecting to the correct page.

Concerns have been raised that the upgrade might cause some problems for network administrators working with older networking equipment that is preconfigured to either not accept DNS responses over 512 bytes or not accept DNS responses split into several packets using the TCP protocol.

ICANN's latest update on the upgrade, released yesterday, confirmed that root server cluster 'J-Root' is the last of 13 root server clusters to transition to DNSSEC on May 5 at 1700 - 1900 UTC.

ICANN said that "no harmful effects" have been identified from the 12 root server clusters upgraded to date.

But observers are nonetheless recommending network administrators run a series of final checks using the following tools:

 - A reply-size test available at DNS-OARC:
https://www.dns-oarc.net/oarc/services/replysizetest

- Ripe Labs' 'Test your DNS Resolver'
http://labs.ripe.net/content/testing-your-resolver-dns-reply-size-issues

- iTnews readers have also recommended an automated tool developed by the University of California at Berkeley and Microsoft's guide to DNSSEC on Windows Server 2008 R2.

Advice for corporate networks

Melbourne IT chief strategy officer and ICANN board member Bruce Tonkin recommends that network operators and DNS managers review configuration settings on networking equipment - checking whether their equipment can handle DNS requests with larger packet sizes than 512 bytes or requests sent in multiple packets via the TCP protocol.

Operators should also "consider whether changes to UDP packet size limits will improve overall performance, and consider whether DNS resolvers should be configured to request the DNSSEC information or not in the short term," Tonkin said.

Internode network engineer  Mark Newton recommended in a company blog that firewall administrators ensure the company's firewall is permitting DNS over TCP/53, and that fragmented DNS responses over UDP or TCP aren't blocked.

Should tests using the tools listed above fail, Newton asks that administrators consider a firmware upgrade.

"Read-up on the nature of the problem, and understand that TCP/53 has always been a valid part of the DNS protocol, and that blocking it isn't industry best practice, it's a configuration error," Newton said.

Checklist for ISP subscribers

By and large, internet service providers are expected to have prepared for the DNSSEC upgrade.

Australia's largest ISP, Telstra, said it "supported the introduction of DNSSEC" and did not anticipate customers would suffer any connectivity issues on May 5.

Primus, also queried as to whether its DNS servers were prepared, was also confident the upgrade will prove smooth sailing for its subscribers.

"Be assured we have taken steps to ensure there will be no issues for customers," said Ravi Bhatia, CEO at Primus.

Internode has investigated its own systems and expects to be fully compliant with DNSSEC.

But whilst assuring that "the overwhelming majority of customers won't notice anything", Newton took a measured approach.

"Our customer service staff will try their best to assist people with DNS problems after May 5th, but please understand that it's possible that any problems you experience may be caused by deficiencies in your own equipment," Newton said in a company blog.

"Although it's very unlikely, it remains possible that you'll need to purchase a new firewall or a new ADSL modem after May 5 if your current equipment is old enough to have problems which haven't been fixed by the vendor because they're no longer offering support for your product."

Customers with ADSL modems that stop working correctly after May 5 should also consider a firmware upgrade, Newton said.

"If that doesn't help, try disabling your ADSL modem's DNS proxy, which will cause you to use our DNS servers (which we've tested with DNSSEC) instead of your ADSL modem's possibly-faulty built-in DNS server."