AFNIC invites network managers to prepare for the signing of the DNS root in May 2010

This evolution aims for increasing the confidence in DNS responses (by authenticating their origin); administrators of networks connected to Internet should be aware that this evolution could cause some service disruptions.

In fact, the changes in the root server configuration could lead to a DNS disconnection risk, and therefore disruption of Internet service in certain cases.

AFNIC’s advice

1. Check whether your network, as well as your DNS service, could be concerned by this potential dysfunction, on a machine where the dig software is set up:
dig +short rs.dns-oarc.net txt
2. Check that the response indicates more than 1500 bytes. For instance:
“203.0.113.1 DNS reply size limit is at least 4023 bytes”
3. Analyze the whole network and the intermediate equipments (firewalls), then make sure that everything has been properly configured, in case the tests indicate that the packets which are bigger than 1500 bytes can’t get through.
4. Another alternative, if you do not have a simple DNS client like dig:

This tool, developed by the RIPE-NCC, requires Java.
5. For end users (company, university or domestic ISP subscriber), please check with your ISP.

Technical background

The DNS root is signed with the DNSSEC technology. In 2010, the root servers will start giving signed responses. From next May , the 13 root DNS servers will send the DNSSEC information. This includes cryptographic signatures, whose size is about five to ten times the standard DNS responses size. These signatures will exceed the DNS 512 bytes previous limit, and sometimes, even the 1500 bytes of the Ethernet MTU (“Maximum Transmit Unit�?), the most widely used on Internet.

In fact, RFC 2671, which extended the 512 bytes limit, was published in August 1999, and is more than ten years old. There are still some firewalls or other network equipments, which are badly designed or not properly configured, and will reject the DNS responses more than 512 bytes long.
Among the equipments which accept longer responses, some of them don’t correctly handle the IP packet fragmentation (For instance: because they may block all the ICMP packets) and therefore, they cannot receive DNS packets larger than the MTU (generally 1500 bytes).

Some of the networks which reject DNS packets larger than 512 bytes, or even the ones which only reject those longer than 1500 bytes, will no longer be able to “communicate�? with the DNS root after May 2010 (Indeed, this means that they will no longer get any response); and therefore, they will practically be unable to access to Internet

Glossary:

DNS: http://fr.wikipedia.org/wiki/Domain_Name_System
DNSSEC: http://fr.wikipedia.org/wiki/Domain_Name_System_Security_Extensions
ICMP: http://fr.wikipedia.org/wiki/Internet_Control_Message_Protocol
MTU: http://fr.wikipedia.org/wiki/Maximum_Transmission_Unit

ROOT: the set of servers spread around the world, and upon which the domain names system relies. These servers have a key role in dispatching the requests to the right name servers of the relevant TLD (Top-Level Domain) such as .fr or.com.

Some useful links:

– The root signing plan announcement

– The official website for the signing project
, with the roll-out timetable
– Instructions for a root server

– Can your DNS server accept any size packet (in French)?

– A French language mailing list about the DNS, where you can
get support from peers

About AFNIC
(Association Française pour le Nommage Internet en Coopération )
Non-profit organization, AFNIC is in charge of the administrative and technical management of the .fr (France) and .re (Reunion Island) Internet domain names.
AFNIC brings together public and private members: representatives from the French government, Internet users and Internet Service Providers (Registrars).
Further information.