DJB and root ns server dnssec signing

krad kraduk at googlemail.com
Mon Apr 19 12:12:42 UTC 2010 

On 19 April 2010 13:06, Vincent Hoffman <vince at unsane.co.uk> wrote:

> On 19/04/2010 12:12, krad wrote:
> > Hi,
> >
> > Not strictly a freebsd question this but I'm feeling jittery about this
> as I
> > cant afford it to go wrong.
> >
> > As you are probably aware the root zones are going to be signed soon. I
> run
> > a number of heavily  used dns caches (~ 600-900 queries / sec) running
> djb
> > dnscache. From what I can see dnscache doesn't support dnssec and edns
> and
> > as these boxes are caches they will be querying the root ns a lot. They
> are
> > also not behind a discreet firewall, so its not that dropping the large
> udp
> > packets. I cant find any categoric answer to whether I will get an issue
> > here and this makes me nervous. Can anyone offer any advice or pointers
> on
> > this?
> >
> > $ dig @test.server +short rs.dns-oarc.net txt
> > rst.x476.rs.dns-oarc.net.
> > rst.x485.x476.rs.dns-oarc.net.
> > rst.x490.x485.x476.rs.dns-oarc.net.
> > "212.139.132.43 DNS reply size limit is at least 490"
> > "212.139.132.43 lacks EDNS, defaults to 512"
> > "Tested at 2010-04-19 10:42:04 UTC"
> >
> >
> > I would upgrade the ns to bind, but historically there were issues with
> bind
> > on these boxes so if i were to do this I would need to upgrade to
> 8-stable
> > (they are a mixture of 4,5,6) where i can safely use threaded bind. All
> of
> > these boxes are remote and heavily active so with the time constraints
> isn't
> > that desirable.
> >
> dns/unbound  (http://unbound.net/)  might be a better way to go than
> bind if you just want a dnssec aware caching resolver.
>
> Vince
> > _______________________________________________
> > freebsd-questions at freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> > To unsubscribe, send any mail to "
> freebsd-questions-unsubscribe at freebsd.org"
> >
>
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "
> freebsd-questions-unsubscribe at freebsd.org"
>

unfortunately not an option as we have a number of specialized patches
running on the servers. These are available for bind and djb only.

More information about the freebsd-questions mailing list