Feeds

Will DNSSEC kill your internet?

5 May will sort the men from the boys

Top 5 reasons to deploy VMware with Tegile

Internet users face the risk of losing their internet connections on 5 May when the domain name system switches over to a new, more secure protocol.

While the vast majority of users are expected to endure the transition to DNSSEC smoothly, users behind badly designed or poorly configured firewalls, or those subscribing to dodgy ISPs could find themselves effectively disconnected.

DNSSEC adds digital signatures to normal DNS queries, substantially reducing the risk of falling victim to man-in-the-middle attacks such as the Kaminsky exploit, which caused widespread panic in July 2008.

The standard is currently being rolled out cautiously to the internet's DNS root servers. In May, when all 13 roots are signed, anybody with an incompatible firewall or ISP will know about it, because they won't be able to find websites or send email.

Why? Here comes the science bit. Normal DNS traffic uses the UDP protocol, which is faster and less resource-hungry than TCP. Normal DNS UDP packets are also quite small, under 512 bytes.

Because of this, some pieces of network gear are configured out of the box to reject any UDP packet over 512 bytes on the basis that it's probably broken or malicious. Signed DNSSEC packets are quite a lot bigger that 512 bytes, and from 5 May all the DNS root servers will respond with signed DNSSEC answers.

Keith Mitchell, head of engineering at root server operator Internet Systems Consortium, said his biggest fear is for large enterprises with sprawling networks.

“There are a lot of firewalls and other middleware boxes out there that make the assumption that there are only small UDP packets,” he said. “Several times a month we receive reports of problems like this.”

Sometimes these devices will failover to TCP, which drains bandwidth and hardware resources because it uses handshaking to set up connections.

Mitchell said he's also concerned about ISPs that rewrite DNS answers as they pass across their networks. Some ISPs do this to redirect their customers to cash-making search pages when they're trying to find a non-existent website. In China, ISPs use the same method to censor websites.

“They're doing a lot of fiddling along the way and it's by no means clear to me that the fiddling is aware of DNSSEC,” he said.

The solution to the problem is Extension Mechanisms for DNS, EDNS0, a decade-old IETF standard that is not yet universally implemented. Mitchell said ISPs and enterprises need to ensure that their gear can handle EDNS0 to avoid problems with the transition.

You can test whether your current DNS resolver is capable of handling DNSSEC, by following the instructions at DNS-OARC or running a Java app that can be downloaded from RIPE.

Home users using residential hubs should not panic if these tests return scary results. According to Mitchell, it currently only matters that the ISP supports DNSSEC. A dodgy Netgear box is not enough to kill your internet... cross fingers. ®

Choosing a cloud hosting partner with confidence

More from The Register

next story
FCC, Google cast eye over millimetre wireless
The smaller the wave, the bigger 5G's chances of success
It's even GRIMMER up North after MEGA SKY BROADBAND OUTAGE
By 'eck! Eccles cake production thrown into jeopardy
Mobile coverage on trains really is pants
You thought it was just *insert your provider here*, but now we have numbers
Don't mess with Texas ('cos it's getting Google Fiber and you're not)
A bit late, but company says 1Gbps Austin network almost ready to compete with AT&T
HBO shocks US pay TV world: We're down with OTT. Netflix says, 'Gee'
This affects every broadcaster, every cable guy
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.