DJB and root ns server dnssec signing

[krad]

Hi,

Not strictly a freebsd question this but I'm feeling jittery about this as I
cant afford it to go wrong.

As you are probably aware the root zones are going to be signed soon. I run
a number of heavily  used dns caches (~ 600-900 queries / sec) running djb
dnscache. From what I can see dnscache doesn't support dnssec and edns and
as these boxes are caches they will be querying the root ns a lot. They are
also not behind a discreet firewall, so its not that dropping the large udp
packets. I cant find any categoric answer to whether I will get an issue
here and this makes me nervous. Can anyone offer any advice or pointers on
this?

$ dig @test.server +short rs.dns-oarc.net txt
rst.x476.rs.dns-oarc.net.
rst.x485.x476.rs.dns-oarc.net.
rst.x490.x485.x476.rs.dns-oarc.net.
"212.139.132.43 DNS reply size limit is at least 490"
"212.139.132.43 lacks EDNS, defaults to 512"
"Tested at 2010-04-19 10:42:04 UTC"


I would upgrade the ns to bind, but historically there were issues with bind
on these boxes so if i were to do this I would need to upgrade to 8-stable
(they are a mixture of 4,5,6) where i can safely use threaded bind. All of
these boxes are remote and heavily active so with the time constraints isn't
that desirable.