From owner-freebsd-questions@FreeBSD.ORG Mon Apr 19 11:12:31 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C6B4A106566C for ; Mon, 19 Apr 2010 11:12:31 +0000 (UTC) (envelope-from kraduk@googlemail.com) Received: from mail-bw0-f214.google.com (mail-bw0-f214.google.com [209.85.218.214]) by mx1.freebsd.org (Postfix) with ESMTP id 577488FC0A for ; Mon, 19 Apr 2010 11:12:30 +0000 (UTC) Received: by bwz6 with SMTP id 6so3976650bwz.13 for ; Mon, 19 Apr 2010 04:12:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:mime-version:received:date:received:message-id :subject:from:to:content-type; bh=9tRlBxwe0tdWwC3xiWlsIRIF5dR9PjlquUKYZREpNKc=; b=mC2gXkavIueoTe58y/93GD9xQPDaJgMARnh8T7silYEY1HwQQ5bkw0SKVO7UnQDyed HFRl7Hnsby1NHISWyhDnydBAahs0M/It1xf6R5V6GmjX10Ue2wwk9PpDpb8xONt2AwbO zvkPFhon9DKDHTBe1hi+llMnYvm9c7PnVqi6A= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=E5pTINWteqz2hCv9H9rowYSprmGSaajWB4P/QMl80k6A9CuxNpY3/u6hYvIQKSZmsh vyZh0fQLcrrPZrbcz6rFLF+Zise0NiYeGjII1mq2tCgQjCXOm326OWNP/AQ7KLgpHyj8 0j4ojXYoxsgu94mXjSxps89nUkVQlnrIYc2YE= MIME-Version: 1.0 Received: by 10.239.165.129 with HTTP; Mon, 19 Apr 2010 04:12:23 -0700 (PDT) Date: Mon, 19 Apr 2010 12:12:23 +0100 Received: by 10.239.142.205 with SMTP id h13mr435901hba.213.1271675543593; Mon, 19 Apr 2010 04:12:23 -0700 (PDT) Message-ID: From: krad To: FreeBSD Questions Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: DJB and root ns server dnssec signing X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Apr 2010 11:12:32 -0000 Hi, Not strictly a freebsd question this but I'm feeling jittery about this as I cant afford it to go wrong. As you are probably aware the root zones are going to be signed soon. I run a number of heavily used dns caches (~ 600-900 queries / sec) running djb dnscache. From what I can see dnscache doesn't support dnssec and edns and as these boxes are caches they will be querying the root ns a lot. They are also not behind a discreet firewall, so its not that dropping the large udp packets. I cant find any categoric answer to whether I will get an issue here and this makes me nervous. Can anyone offer any advice or pointers on this? $ dig @test.server +short rs.dns-oarc.net txt rst.x476.rs.dns-oarc.net. rst.x485.x476.rs.dns-oarc.net. rst.x490.x485.x476.rs.dns-oarc.net. "212.139.132.43 DNS reply size limit is at least 490" "212.139.132.43 lacks EDNS, defaults to 512" "Tested at 2010-04-19 10:42:04 UTC" I would upgrade the ns to bind, but historically there were issues with bind on these boxes so if i were to do this I would need to upgrade to 8-stable (they are a mixture of 4,5,6) where i can safely use threaded bind. All of these boxes are remote and heavily active so with the time constraints isn't that desirable.