dslreports logo
 story category
No, DNSSEC Upgrades Won't Break The Internet Next Week
DNSSEC could ''kill your Internet' proclaims Register. Not so much, says expert.

Updated with comments from Comcast engineers and OpenDNS's CEO. "Internet users face the risk of losing their internet connections on 5 May when the domain name system switches over to a new, more secure protocol," proclaims the Register, which informs its readers that DNSSEC upgrades could "kill your internet." The article goes on to insist that "from 5 May all the DNS root servers will only respond with signed DNSSEC answers," then goes on to infer this could terminate connectivity for users completely. That certainly sounds scary. Would it make you feel any better to learn that most of that isn't true?

DNSSEC is new flavor of security that allows both sites and providers to validate domain names to make sure they're correct and not tampered with, and is supposed to help combat things like DNS cache "poisoning" and phishing scams. As we mentioned recently, Comcast hopes to have the upgrade installed by the end of 2011 ("if not sooner"), while OpenDNS has stated they'll be using an alternative to DNSSEC dubbed DNSCurve they claim is simpler and easier to deploy.

Upgrading to DNSSEC is a slow and measured affair that's only just really getting off the ground, and despite The Register's claims that the Internet may grind to a halt next Wednesday -- all 13 root servers upgraded with DNSSEC next week will behave normally to end users whether your ISP is fully prepared or not (and most certainly aren't). However there is a small problem that could slow the Internet down slightly for a very small portion of users, as "El Reg" explores:

quote:
Normal DNS traffic uses the UDP protocol, which is faster and less resource-hungry than TCP. Normal DNS UDP packets are also quite small, under 512 bytes. Because of this, some pieces of network gear are configured out of the box to reject any UDP packet over 512 bytes on the basis that it's probably broken or malicious. Signed DNSSEC packets are quite a lot bigger that 512 bytes, and from 5 May all the DNS root servers will respond with signed DNSSEC answers.
Kind of -- except for the fact that as we understand it -- root servers will only return signed DNSSEC answers to queries that have explicitly asked for them. In other words? The vast majority of Internet users won't notice a damn thing next week.

Keith Mitchell, head of engineering at root server operator Internet Systems Consortium, takes issue with the very Register article he's quoted in. "No-one is going to completely lose Internet service as a result of the signed root -- or indeed any DNSSEC deployment efforts -- and I certainly didn't say that," he says. "The worst that is going to happen is that a tiny minority of users behind mis-configured firewall or middleware boxes may experience some performance degradation when their clients have to attempt alternative paths for resolving names," says Mitchell of the May 5 upgrade.

Apparently, "Highly Technical Upgrade May Cause Very Small Problem" wasn't as hit-generating as claiming the world might end. Users interested in learning more about DNSSEC can head to our security forum where users are discussing the upgrade and how to test your ISP for DNSSEC preparedness and possible problems next week. Meanwhile, this 2008 report (pdf) examines which home networking gear could be impacted (most of which have already been updated to tackle the problem).

Update: Comcast's Chris Griffiths stops by our comments to add Comcast's thoughts on next week's changes and to reiterate the fact that this really isn't anything to worry about:
quote:
The folks who are working on getting the root signed have done a lot of detailed analysis and have taken great care not to impact any DNS services on the Internet. The fact that most DNS systems out on the Internet are neither doing DNSSEC validation, nor even EDNS0 (which deals with larger payload sizes for DNS packets) means there will most likely be no impact to end users on May 5th. As more domains get signed and DNS resolvers that people use (like the Comcast DNSSEC trial) begin doing validation and utilizing EDNS0, you may see more operational issues with end user systems. This is why we are currently testing out DNSSEC in a production trial and testing and providing feedback to our customers and the Internet community here: »www.dnssec.comcast.net.
Update 2:David Ulevitch, Founder & CEO of OpenDNS, also stopped by our comments to clarify that they actually will be supporting DNSSEC, though Ulevitch feels DNSEC "isn't the right answer":
quote:
Just a clarification... while we support and endorse DNSCurve, we will ultimately be supporting DNSSEC also. They aren't mutually exclusive. I think most vendors would agree DNSSEC isn't the right answer, but publicly there's just too much of a groundswell of support around it not to support it due to peer pressure in the DNS community.

Most recommended from 26 comments



ScottMo
Once in a Lifetime
MVM
join:2000-12-15
New York, NY

2 recommendations

ScottMo

MVM

That's not what El Reg said

"While the vast majority of users are expected to endure the transition to DNSSEC smoothly, users behind badly designed or poorly configured firewalls, or those subscribing to dodgy ISPs could find themselves effectively disconnected."

Direct quote.

Nothing there to say the regular Joe Internet is going to lose service. The Register goes to further clarify:

Keith Mitchell, head of engineering at root server operator Internet Systems Consortium ... said he's also concerned about ISPs that rewrite DNS answers as they pass across their networks. Some ISPs do this to redirect their customers to cash-making search pages when they're trying to find a non-existent website. In China, ISPs use the same method to censor websites.

“They're doing a lot of fiddling along the way and it's by no means clear to me that the fiddling is aware of DNSSEC,” he said.

Valid point, no?