TY - GEN
T1 - Improving Response Deliverability in DNS(SEC)
AU - van den Broek, Gijs
AU - van Rijswijk, Roland
AU - van Rijswijk, Roland M.
AU - Pras, Aiko
AU - Sperotto, Anna
PY - 2012/5
Y1 - 2012/5
N2 - The Domain Name System provides a critical service on the Internet, where it allows host names to be translated to IP addresses. However, it does not provide any guarantees about authenticity and origin integrity of resolution data. DNSSEC attempts to solve this through the application of cryptographic signatures to DNS records. These signatures generally result in larger responses compared to plain DNS responses. Some of these larger responses experience fragmentation, which in turn might be partially blocked by some firewalls. Apparently unresolvable zones may in those cases be a consequence. Analysis of DNS traffic suggests that at least one per cent of all resolvers experience this problem with our signed zones. However, we suspect this number to be much larger. In our presentation we will elaborate on the potential extent of this problem and propose to test two solutions. We intent to test both solutions in our production environment.
AB - The Domain Name System provides a critical service on the Internet, where it allows host names to be translated to IP addresses. However, it does not provide any guarantees about authenticity and origin integrity of resolution data. DNSSEC attempts to solve this through the application of cryptographic signatures to DNS records. These signatures generally result in larger responses compared to plain DNS responses. Some of these larger responses experience fragmentation, which in turn might be partially blocked by some firewalls. Apparently unresolvable zones may in those cases be a consequence. Analysis of DNS traffic suggests that at least one per cent of all resolvers experience this problem with our signed zones. However, we suspect this number to be much larger. In our presentation we will elaborate on the potential extent of this problem and propose to test two solutions. We intent to test both solutions in our production environment.
KW - IR-81272
KW - EWI-22169
KW - DNSSEC
KW - METIS-287973
M3 - Conference contribution
SP - -
BT - TERENA Networking Conference 2012
PB - Trans-European Research and Education Networking Association
CY - Amsterdam, The Netherlands
T2 - TERENA Networking Conference 2012
Y2 - 21 May 2012 through 24 May 2012
ER -