DNSSEC-aware resolvers

I noticed that  the biggest ISPs in US  (Comcast, AT&T, Sprint, Verizon etc) have made  their resolvers DNSSEC-aware.  This is in response to FCC recommendation  to protect their customers.  The task is easy, just add the root trust anchor in resolvers and enable DNSSEC in configuration file.

In other countries, if ISPs do not want to validate DNSSEC, they should leave this job to corporate users or end users.  In that case, they should not block DNSSEC traffic in their network with UDP larger than 512 bytes.  Not just don’t block, they should set their firewalls in an appropriate way to allow large UDP  payload to go through.  In fact, this requirement is not just for DNSSEC, it is also for IPv6.   When a resolver ask for the name servers of .com from the root zone, 13 name servers, 13 IPv4 addresses and 13 IPv6 addresses will be provided.  The UDP size could be larger than 512 bytes.

No comments: