Date: Mon, 19 Apr 2010 12:12:23 +0100 From: krad <kraduk@googlemail.com> To: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: DJB and root ns server dnssec signing Message-ID: <n2rd36406631004190412k9fea6e71i2b61d411fd7948@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Hi, Not strictly a freebsd question this but I'm feeling jittery about this as I cant afford it to go wrong. As you are probably aware the root zones are going to be signed soon. I run a number of heavily used dns caches (~ 600-900 queries / sec) running djb dnscache. From what I can see dnscache doesn't support dnssec and edns and as these boxes are caches they will be querying the root ns a lot. They are also not behind a discreet firewall, so its not that dropping the large udp packets. I cant find any categoric answer to whether I will get an issue here and this makes me nervous. Can anyone offer any advice or pointers on this? $ dig @test.server +short rs.dns-oarc.net txt rst.x476.rs.dns-oarc.net. rst.x485.x476.rs.dns-oarc.net. rst.x490.x485.x476.rs.dns-oarc.net. "212.139.132.43 DNS reply size limit is at least 490" "212.139.132.43 lacks EDNS, defaults to 512" "Tested at 2010-04-19 10:42:04 UTC" I would upgrade the ns to bind, but historically there were issues with bind on these boxes so if i were to do this I would need to upgrade to 8-stable (they are a mixture of 4,5,6) where i can safely use threaded bind. All of these boxes are remote and heavily active so with the time constraints isn't that desirable.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?n2rd36406631004190412k9fea6e71i2b61d411fd7948>