From owner-freebsd-questions@FreeBSD.ORG Mon Apr 19 12:12:42 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5F6E21065670 for ; Mon, 19 Apr 2010 12:12:42 +0000 (UTC) (envelope-from kraduk@googlemail.com) Received: from mail-bw0-f214.google.com (mail-bw0-f214.google.com [209.85.218.214]) by mx1.freebsd.org (Postfix) with ESMTP id D3E088FC1C for ; Mon, 19 Apr 2010 12:12:41 +0000 (UTC) Received: by bwz6 with SMTP id 6so4041617bwz.13 for ; Mon, 19 Apr 2010 05:12:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:received:message-id:subject:from:to:cc:content-type; bh=Q5NmLX3VgfYaFo0EAHLKtGI8oTkHx8pbFLVgr9g0xho=; b=ZSsz6d15A9PBRHRF9/xsIzDRcAP1R8/PCeGor06i0FdL8vXCqJ/vTCDDimRo/miAEp TROAikJkOoY7UriMwQncSB1ZVq9SoT2NHpGqoUPcNoDH085zb+SVNP65jKYaFqdYq5Pq hod6+83QJXnGIPuNis64pXSdG0XClDMG3nhF0= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=WF2weKswFXXoSBqhQTTw3+hKOnVHM63KtQlc78jjtZk+azVVZSpgaxO56SKzWr1msN D7gAPnQe5XnxDj73PPAN6eBp4mbAsF89K8beZLZVu5+/k7nBc2m0xJnJHDhp5J4qhvrH FnqFRUdIswEp5IQSpUZDs6UUSW5g4NjkE24sY= MIME-Version: 1.0 Received: by 10.239.165.129 with HTTP; Mon, 19 Apr 2010 05:12:36 -0700 (PDT) In-Reply-To: <4BCC4756.9060109@unsane.co.uk> References: <4BCC4756.9060109@unsane.co.uk> Date: Mon, 19 Apr 2010 13:12:36 +0100 Received: by 10.239.182.204 with SMTP id r12mr492050hbg.193.1271679156828; Mon, 19 Apr 2010 05:12:36 -0700 (PDT) Message-ID: From: krad To: Vincent Hoffman Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-questions@freebsd.org Subject: Re: DJB and root ns server dnssec signing X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Apr 2010 12:12:42 -0000 On 19 April 2010 13:06, Vincent Hoffman wrote: > On 19/04/2010 12:12, krad wrote: > > Hi, > > > > Not strictly a freebsd question this but I'm feeling jittery about this > as I > > cant afford it to go wrong. > > > > As you are probably aware the root zones are going to be signed soon. I > run > > a number of heavily used dns caches (~ 600-900 queries / sec) running > djb > > dnscache. From what I can see dnscache doesn't support dnssec and edns > and > > as these boxes are caches they will be querying the root ns a lot. They > are > > also not behind a discreet firewall, so its not that dropping the large > udp > > packets. I cant find any categoric answer to whether I will get an issue > > here and this makes me nervous. Can anyone offer any advice or pointers > on > > this? > > > > $ dig @test.server +short rs.dns-oarc.net txt > > rst.x476.rs.dns-oarc.net. > > rst.x485.x476.rs.dns-oarc.net. > > rst.x490.x485.x476.rs.dns-oarc.net. > > "212.139.132.43 DNS reply size limit is at least 490" > > "212.139.132.43 lacks EDNS, defaults to 512" > > "Tested at 2010-04-19 10:42:04 UTC" > > > > > > I would upgrade the ns to bind, but historically there were issues with > bind > > on these boxes so if i were to do this I would need to upgrade to > 8-stable > > (they are a mixture of 4,5,6) where i can safely use threaded bind. All > of > > these boxes are remote and heavily active so with the time constraints > isn't > > that desirable. > > > dns/unbound (http://unbound.net/) might be a better way to go than > bind if you just want a dnssec aware caching resolver. > > Vince > > _______________________________________________ > > freebsd-questions@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > > To unsubscribe, send any mail to " > freebsd-questions-unsubscribe@freebsd.org" > > > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to " > freebsd-questions-unsubscribe@freebsd.org" > unfortunately not an option as we have a number of specialized patches running on the servers. These are available for bind and djb only.