First published: 14th April 2010
The 5th May 2010 is the date when the Internet's root domain name servers will change to using the DNSSEC protocol. The change adds digital signatures to DNS responses, making it more difficult for man-in-the-middle attacks to forge the responses and direct users to fake websites. In most cases, users will get the increased security completely transparently. However, the signatures increase the size of the UDP responses, and some internet systems may block those packets because of their unusual size. This is particularly likely for firewalls, that treat UDP packets over 512 as damaged or malicious.
Keith Mitchell, head of engineering at root server operator Internet Systems Consortium, says his chief concern is large enterprises with sprawling networks. However many Small Office / Home Office devices may be affected too. Tests at Yui Kee have shown that at least one small router, the Linksys BEFXS41, will block large UDP packets when the Stateful Packet Inspection firewall option is turned on. While business-class firewalls will have configurable rules that can be edited to resolve the issue, consumer-class devices like the BEFSX41 usually have a simple "on/off" setting, leaving the user the choice between firewall protection or large UDP packets.
Administrators can easily check the DNS resolvers on their network either by using the Domain Name Systems Operations Analysis and Research Center's (DNS-ORAC) Reply Size Test Server or a Java tools from RIPE. Administrators should note that their clients may be using multiple recursive DNS resolvers, and the resolvers may be using multiple forwarders, and should therefore plan their tests to check all possibilities. If they find their resolvers have an issue, they can decide between:
- Solve the problem by modifying conflicting firewall rules.
- Solve the problem by replacing conflicting equipment.
- Mitigating the problem by configuring their resolvers to use a specific buffer size.
- Mitigating the problem by turning off options such as Stateful Packet Inspection on their equipment.