by Tech Writer, Heptacube Inc.

2010-05-03 17:21:47


Lots of fear, uncertainty and doubt surrounding the final roll-out of DNSSEC on the world's 13 root servers lead some to believe they will suffer a major Internet outage.


The Internet and its underlying infrastructure are a very complex thing. And as with many complex things that people do not really understand, when news come up about a change in that unknown item's functioning, some may overreact. It seems that the coming of DNS Security Extensions (DNSSEC), that brings a change in the Domain Name Server (DNS) protocol, is no exception. Even article titles suffice to show there is a clear problem in understanding the issue: "Warning: Why your Internet might fail on May 5", DNSSec – And Why the Internet Probably Won’t Break Today", Will DNSSEC kill your internet?

The Domain Name System Security Extensions is, as the name implies, an ensemble of specifications to DNS whose purpose is to secure Internet transmissions. By applying signatures to packets, DNSSEC hopes to prevent a number of harmful practices, such as man-in-the-middle attacks, that take advantage of flaws in the decades-old Domain Name System.

DNSSEC actually is nothing new, having first been taken into consideration in the late 1990's. Various implementation constraints stopped the technique from being readily applicable at the time and revisions and improvements have been made to it over the years. More recently, DNSSEC has been adopted by a number of country-code top-level domains (TLD), such as .br (Brazil), .bg (Bulgaria) and .se (Sweden), and VeriSign has announced in February 2009 that it would deploy DNSSEC to all of its TLD's (.com, .net, etc.) within 24 months. What is more important, though, and the source of so much concern, is the deployment of DNSSEC on the Internet's thirteen root servers.

In fact, this operation has started months ago already. DNSSEC has been rolled out to several of these servers over time, and the remaining ones will adopt it this Wednesday. However, users who may experience some problems accessing the Internet because of their part of the infrastructure not handling DNSSEC properly would not be aware of it until the last root server adopts the new standard.

The DNS protocol usually uses UDP for transmitting data in the form of small packets. UDP is a relatively lightweight transmission protocol and many firewalls and other devices are configured to reject packets larger than 512 bytes, considering them dangerous or malformed. The thing is the extensions added in DNSSEC for signing transmissions make for significantly larger packets. Right now, transmission is re-routed to a non-DNSSEC-enabled root server if too large packets make it unsuccessful. The fear is that once DNSSEC is deployed to all root servers, misconfigured devices will not be able to resolve DNS transmissions through UDP. They could automatically switch to TCP--which readily accepts larger packet sizes--, but this protocol is much more resources-hungry than UDP, so servers can quickly get overwhelmed.

So, is DNSSEC really worth the trouble? Yes and no: DNSSEC is worth it, but it should not be any trouble. Typically, devices should be configured to use an extended version of DNS, called EDNS, when initiating a transmission that requires to be signed. By chance, EDNS allows the reception of packets larger than 512 bytes!

DNS-OARC and RIPE provide tools to test a DNS server's readiness for DNSSEC. Even if it does not enable EDNS, that does not mean it will have issues with DNSSEC though. As long as UDP packets larger than 512 bytes are accepted, everything is fine. Major ISP's and serious network administrators have long been ready for this. So in all logic, no significant "Internet outage" should occur on May 5th. The worst-case scenario is that in some instances, "middleware" devices will have to be tweaked to accept the new, larger packets.