Re: tinydns/dnscache after may 5th

Jeff Rooney wrote:

> Anyone concerned about the DNSSEC switchover on the 5th, related to how it
> will affect tinydns/dnscache deployments? 

No.

> I have read some somewhat
> conflicting articles outlining what the root switchover actually means and
> am honestly confused :/

Many of those articles fail to mention that there will be no "switchover".

Most root servers already reply with signed (i.e. large) answers to
those who explicitely ask for them with the EDNS0 DO option.

Any resolver that has problems receiving large responses over UDP should
 experience frequent failures or unusually long delays in name
resolution by now, *if* it requests EDNS buffer sizes > 512 Bytes *and*
uses DNSSEC extensions *and* cannot use TCP *and* refuses to fall back
to smaller buffer sizes or plain (non-EDNS) queries.

Such a crippled resolver would fail on May 5th (plus remaining cache
TTL), when all root servers load the signed zone. Others will cope with
various strategies (use TCP, EDNS <at> 512 or don't use EDNS at all).

The majority of resolvers won't register much of a difference.

> I understand that djbdns does not support EDNS0. Its my understanding that
> dnscache will only ever ask for replies via UDP and smaller than 512bytes.

Right, without EDNS0, nameservers don't send neither UDP responses
larger than 512 Bytes nor DNSSEC signatures. dnscache won't even notice.

> What should we be expecting is the actual impact of the May 5th switchover
> with regards to tinydns/dnscache?

Unless dnscache forwards all queries to another proxy, I'd expect to see
no impact on the technical side.

Publication of the root trust anchor in June, however, will probably
increase customer/management demand for DNS cache and authority
operators to deploy DNSSEC-aware software. That will possibly bring
death to a few djbdns installations.

Hauke.