source: broadbandreports.com
"Internet users face the risk of losing their internet connections on May 5th when the domain name system switches over to a new, more secure protocol," proclaims the Register, which informs its readers that DNSSEC upgrades could "kill your internet." The article goes on to insist that "from May 5th all the DNS root servers will only respond with signed DNSSEC answers," then goes on to infer this could terminate connectivity for users completely. That certainly sounds scary. Would it make you feel any better to learn that most of that isn't true?
DNSSEC stands for Domain Name System Security Extensions, and it's the new flavor of security that allows both sites and providers to validate domain names to make sure they're correct and not tampered with, and is supposed to help combat things like DNS cache "poisoning" and phishing scams.As we mentioned recently, Comcast hopes to have the upgrade installed by the end of 2011 ("if not sooner"), while OpenDNS has stated they'll be using an alternative to DNSSEC dubbed DNSCurve they claim is simpler and easier to deploy.
Upgrading to DNSSEC is a slow and measured affair that's only just really getting off the ground, and despite The Regester's claims that the Internet may grind to a halt next Wednesday -- all 13 root servers upgraded with DNSSEC next week will behave normally to end users whether your ISP is fully prepared or not (and most certainly aren't). However there is a small problem that could slow the Internet down slightly for a very small portion of users, as "El Reg" explores:
Normal DNS traffic used the UDP protocol, which is faster and less resource-hungry than TCP. Normal DNS UDP packets are also quite small, under 512 bytes. Because of this, some pieces of network gear are configured out of the box to reject any UDP packet of 512 bytes on the basis that it's probably broken or malicious. Signed DNSSEC packets are quite a lot bigger than 512 bytes, and from May 5th all the DNS root servers will respond with signed DNSSEC answers.
Kind of -- except for the fact that we we understand it -- root servers will only return signed DNSSEC answers to queries that have explicitly asked for them. In other words? The vast majority of Internet users won't notice a damned thing next week.
Keith Mitchell, head of engineering at root server operator Internet Systems Consortium, takes issue with the very Register article he's quoted in. "No-one is going to completely lose Internet service as a result of the signed root -- or indeed any DNSSEC deployment efforts -- and I certainly didn't say that," he says. "The worst that is going to happen is that a tiny minority of users behind mis-configured firewall or middleware boxes may experience some performance degradation when their clients have to attempt alternative paths for resolving names," says Mitchell of the May 5th upgrade.
Apparently, "Highly Technical Upgrade May Cause Very Small Problem" wasn't as hit-generating as claiming the world might end. Users interested in learning more about DNSSEC can head to our security forum where users are discussing the upgrade and how to test your ISP for DNSSEC preparedness and possible problems next week.
Internet users are not without choice, however, as OpenDNS provides a free service to anyone looking for alternatives.
