DNSSEC - panic or relax?

[faris]

I've been reading this: http://www.theregister.co.uk/2010/04/13/dnssec/ which implies that from the 11th of May if your ISP's network and or your firewall/router doesn't UDP packets larger than 512k then essentially DNS will stop working.

If you then read the comments it talks about how you only need this if your resolver sets the DO bit when doing a query, and goes on to say that Bind does it by default and you can't switch it off.

Having run the test dig from https://www.dns-oarc.net/oarc/services/replysizetest on all our servers and VPSes, I'm getting results like this:

#dig +short rs.dns-oarc.net txt
rst.x476.rs.dns-oarc.net.
rst.x485.x476.rs.dns-oarc.net.
rst.x490.x485.x476.rs.dns-oarc.net.
"208.69.34.8 lacks EDNS, defaults to 512"
"208.69.34.8 DNS reply size limit is at least 490"
"Tested at 2010-04-13 14:11:11 UTC"

Now in our case, we have set named to forward requests to OpenDNS, hence the 208.69.x.x addresses, which are OpenDNS servers.

I know that we don't need OpenDNS to support DNSSec - it isn't necessary.

But I simply fail to understand what's going on, and whether there is something I need to worry about.

Doing the same dig but @localhost gives the same results (due to the forwarding, I assume).

The problem is that I can't figure out how to test whether our firewall (apf on everything) and infrastucture will support UDP packets greater than 512 bytes, which is the main problem, I think. I can't even tell if it is important even if it doesn't - I don't think so, but I really can't get my hear round this issue at all.

I hope someone else has already puzzled through this and figured out what's going on and what's important and what's not. If so, please can you enlighten us?

Thanks,

Faris.

[scott]

if apf breaks that they made some seriously fundamental errors. Typically you dont have rules crawling that far up the stack unless youre me. Or mike. But certainly not in something like apf.

[faris]

OK, so I guess you are saying "relax"

Faris.