Post Fri Apr 30, 2010 7:23 pm

DNSSEC Rollout May Cause Internet Slowdowns: Melbourne IT Exec

http://www.thewhir.com/web-hosting-news/043010_DNSSEC_Rollout_May_Cause_Internet_Slowdowns_Melbourne_IT_Exec

(WEB HOST INDUSTRY REVIEW) -- Early next month, the world's top domain authorities, headed by ICANN, the US Government and Verisign, will complete the first phase of the rollout of Domain Name System Security Extensions across the entirety of the 13 root servers that translate user requests to corresponding websites. These larger requests, however, may not sit well with older networking equipment.

According to Dr Bruce Tonkin, Chief Strategy Officer for Melbourne IT Limited, in a Twitter post at the ICANN meeting in Seoul, Korea, he noted that "adding DNSSEC at the root will be the biggest and most dynamic change to the root system."

And while it will provide major benefits in terms of security, it appears that this change is too much for some hardware. As the May 5 deployment nears, Tonkin talked with Australian news service, itnews, noting that some networking equipment blocks single packets of data that are greater than 512 bytes in size automatically, assuming that such packets are anomalies. "The bigger answer coming back from the DNS request might get blocked by some Internet devices in the Corporate network," he said.

At 1pm EST on May 5, all DNSSEC messages, with signature, will be sent back to a user's DNS resolver. Itnews reports that these messages will be four times larger than before and perhaps be sent in multiple packets via TCP.

While already deployed on most of the world's 13 root servers, as part of an effort starting in December 2009, DNSSEC would only have resulted in a minor delay in webpages loading for those with outdated network equipment because requests made to one root server that do not receive a response, are sent to another until response is received. On May 5, however, all 13 root servers will feature DNSSEC signatures, eliminating that failover.

Managers, however, will have some time to deal with this change. The signatures sent next month are dummies to test the system, becoming real on July 1.
CEH, OSCP, GPEN, GWAPT, GCIA
http://sector876.blogspot.com