From owner-freebsd-questions@FreeBSD.ORG Mon Apr 19 12:06:49 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 191541065670 for ; Mon, 19 Apr 2010 12:06:49 +0000 (UTC) (envelope-from vince@unsane.co.uk) Received: from unsane.co.uk (unsane-pt.tunnel.tserv5.lon1.ipv6.he.net [IPv6:2001:470:1f08:110::2]) by mx1.freebsd.org (Postfix) with ESMTP id 7A4D68FC1E for ; Mon, 19 Apr 2010 12:06:48 +0000 (UTC) Received: from vhoffman.lon.namesco.net (184.67-246-213.ippool.namesco.net [213.246.67.184]) (authenticated bits=0) by unsane.co.uk (8.14.3/8.14.3) with ESMTP id o3JC6kxC007677 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO) for ; Mon, 19 Apr 2010 12:06:47 GMT (envelope-from vince@unsane.co.uk) Message-ID: <4BCC4756.9060109@unsane.co.uk> Date: Mon, 19 Apr 2010 13:06:46 +0100 From: Vincent Hoffman User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.9) Gecko/20100317 Thunderbird/3.0.4 MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: In-Reply-To: X-Enigmail-Version: 1.0.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: DJB and root ns server dnssec signing X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Apr 2010 12:06:49 -0000 On 19/04/2010 12:12, krad wrote: > Hi, > > Not strictly a freebsd question this but I'm feeling jittery about this as I > cant afford it to go wrong. > > As you are probably aware the root zones are going to be signed soon. I run > a number of heavily used dns caches (~ 600-900 queries / sec) running djb > dnscache. From what I can see dnscache doesn't support dnssec and edns and > as these boxes are caches they will be querying the root ns a lot. They are > also not behind a discreet firewall, so its not that dropping the large udp > packets. I cant find any categoric answer to whether I will get an issue > here and this makes me nervous. Can anyone offer any advice or pointers on > this? > > $ dig @test.server +short rs.dns-oarc.net txt > rst.x476.rs.dns-oarc.net. > rst.x485.x476.rs.dns-oarc.net. > rst.x490.x485.x476.rs.dns-oarc.net. > "212.139.132.43 DNS reply size limit is at least 490" > "212.139.132.43 lacks EDNS, defaults to 512" > "Tested at 2010-04-19 10:42:04 UTC" > > > I would upgrade the ns to bind, but historically there were issues with bind > on these boxes so if i were to do this I would need to upgrade to 8-stable > (they are a mixture of 4,5,6) where i can safely use threaded bind. All of > these boxes are remote and heavily active so with the time constraints isn't > that desirable. > dns/unbound (http://unbound.net/) might be a better way to go than bind if you just want a dnssec aware caching resolver. Vince > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" >