Date: Mon, 19 Apr 2010 13:06:46 +0100 From: Vincent Hoffman <vince@unsane.co.uk> To: freebsd-questions@freebsd.org Subject: Re: DJB and root ns server dnssec signing Message-ID: <4BCC4756.9060109@unsane.co.uk> In-Reply-To: <n2rd36406631004190412k9fea6e71i2b61d411fd7948@mail.gmail.com> References: <n2rd36406631004190412k9fea6e71i2b61d411fd7948@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 19/04/2010 12:12, krad wrote: > Hi, > > Not strictly a freebsd question this but I'm feeling jittery about this as I > cant afford it to go wrong. > > As you are probably aware the root zones are going to be signed soon. I run > a number of heavily used dns caches (~ 600-900 queries / sec) running djb > dnscache. From what I can see dnscache doesn't support dnssec and edns and > as these boxes are caches they will be querying the root ns a lot. They are > also not behind a discreet firewall, so its not that dropping the large udp > packets. I cant find any categoric answer to whether I will get an issue > here and this makes me nervous. Can anyone offer any advice or pointers on > this? > > $ dig @test.server +short rs.dns-oarc.net txt > rst.x476.rs.dns-oarc.net. > rst.x485.x476.rs.dns-oarc.net. > rst.x490.x485.x476.rs.dns-oarc.net. > "212.139.132.43 DNS reply size limit is at least 490" > "212.139.132.43 lacks EDNS, defaults to 512" > "Tested at 2010-04-19 10:42:04 UTC" > > > I would upgrade the ns to bind, but historically there were issues with bind > on these boxes so if i were to do this I would need to upgrade to 8-stable > (they are a mixture of 4,5,6) where i can safely use threaded bind. All of > these boxes are remote and heavily active so with the time constraints isn't > that desirable. > dns/unbound (http://unbound.net/) might be a better way to go than bind if you just want a dnssec aware caching resolver. Vince > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4BCC4756.9060109>