Coming May 5 - DNSSEC - does this effect dd-wrt?

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware
Author Message
dellsweig
DD-WRT Guru


Joined: 07 Jun 2006
Posts: 1476
Location: New York, USA

PostPosted: Thu Apr 29, 2010 12:19    Post subject: Coming May 5 - DNSSEC - does this effect dd-wrt? Reply with quote
http://www.dnssec.net/

http://www.theregister.co.uk/2010/04/13/dnssec/

DNSSEC adds digital signatures to normal DNS queries, substantially reducing the risk of falling victim to man-in-the-middle attacks such as the Kaminsky exploit, which caused widespread panic in July 2008.

The standard is currently being rolled out cautiously to the internet's DNS root servers. In May, when all 13 roots are signed, anybody with an incompatible firewall or ISP will know about it, because they won't be able to find websites or send email.


Last edited by dellsweig on Thu Apr 29, 2010 13:02; edited 1 time in total
Sponsor
dellsweig
DD-WRT Guru


Joined: 07 Jun 2006
Posts: 1476
Location: New York, USA

PostPosted: Thu Apr 29, 2010 12:53    Post subject: Re: DNSSEC - does this effect dd-wrt? Reply with quote
dellsweig wrote:
http://www.dnssec.net/

http://www.theregister.co.uk/2010/04/13/dnssec/

DNSSEC adds digital signatures to normal DNS queries, substantially reducing the risk of falling victim to man-in-the-middle attacks such as the Kaminsky exploit, which caused widespread panic in July 2008.

The standard is currently being rolled out cautiously to the internet's DNS root servers. In May, when all 13 roots are signed, anybody with an incompatible firewall or ISP will know about it, because they won't be able to find websites or send email.


Well - anyone?? Will DD-WRT (both standard dns and dnsMasq) have any issues with this??

Looks like there are some protocol changes that could effectivly render the router dead if they are not handled correctly

There is a pretty extensive discussion over here:

http://www.dslreports.com/forum/r24163554-Testing-your-router-for-May-5-internet-changes

Along with some tests
dellsweig
DD-WRT Guru


Joined: 07 Jun 2006
Posts: 1476
Location: New York, USA

PostPosted: Thu Apr 29, 2010 12:56    Post subject: Re: DNSSEC - does this effect dd-wrt? Reply with quote
dellsweig wrote:
dellsweig wrote:
http://www.dnssec.net/

http://www.theregister.co.uk/2010/04/13/dnssec/

DNSSEC adds digital signatures to normal DNS queries, substantially reducing the risk of falling victim to man-in-the-middle attacks such as the Kaminsky exploit, which caused widespread panic in July 2008.

The standard is currently being rolled out cautiously to the internet's DNS root servers. In May, when all 13 roots are signed, anybody with an incompatible firewall or ISP will know about it, because they won't be able to find websites or send email.


Well - anyone?? Will DD-WRT (both standard dns and dnsMasq) have any issues with this??

Looks like there are some protocol changes that could effectivly render the router dead if they are not handled correctly

There is a pretty extensive discussion over here:

http://www.dslreports.com/forum/r24163554-Testing-your-router-for-May-5-internet-changes

Along with some tests


Additional testing results of some of the routers we use - stock firmware.

http://download.nominet.org.uk/dnssec-cpe/DNSSEC-CPE-Report.pdf
dellsweig
DD-WRT Guru


Joined: 07 Jun 2006
Posts: 1476
Location: New York, USA

PostPosted: Thu Apr 29, 2010 14:41    Post subject: Re: DNSSEC - does this effect dd-wrt? Reply with quote
dellsweig wrote:
dellsweig wrote:
dellsweig wrote:
http://www.dnssec.net/

http://www.theregister.co.uk/2010/04/13/dnssec/

DNSSEC adds digital signatures to normal DNS queries, substantially reducing the risk of falling victim to man-in-the-middle attacks such as the Kaminsky exploit, which caused widespread panic in July 2008.

The standard is currently being rolled out cautiously to the internet's DNS root servers. In May, when all 13 roots are signed, anybody with an incompatible firewall or ISP will know about it, because they won't be able to find websites or send email.


Well - anyone?? Will DD-WRT (both standard dns and dnsMasq) have any issues with this??

Looks like there are some protocol changes that could effectivly render the router dead if they are not handled correctly

There is a pretty extensive discussion over here:

http://www.dslreports.com/forum/r24163554-Testing-your-router-for-May-5-internet-changes

Along with some tests


Additional testing results of some of the routers we use - stock firmware.

http://download.nominet.org.uk/dnssec-cpe/DNSSEC-CPE-Report.pdf


What version of DNSmasq is currently used in dd-wrt??

It appears support for the new DNS max packet size is included in 2.52 and there is a work-around for anything older - that can be added to the /etc/dnsmasq.conf file

http://permalink.gmane.org/gmane.network.dns.dnsmasq.general/3859
barryware
DD-WRT Guru


Joined: 26 Jan 2008
Posts: 13049
Location: Behind The Reset Button

PostPosted: Thu Apr 29, 2010 14:59    Post subject: Reply with quote
is there some kind of "show" command that will tell you (us) what the max udp packet size is now in dd-wrt?
_________________
[Moderator Deleted] Shocked
dellsweig
DD-WRT Guru


Joined: 07 Jun 2006
Posts: 1476
Location: New York, USA

PostPosted: Thu Apr 29, 2010 15:07    Post subject: Reply with quote
barryware wrote:
is there some kind of "show" command that will tell you (us) what the max udp packet size is now in dd-wrt?


It does not appear to be related to max UDP packet size - that is determined by the MTU setting - it is actually the max allowed in a DNS response
barryware
DD-WRT Guru


Joined: 26 Jan 2008
Posts: 13049
Location: Behind The Reset Button

PostPosted: Thu Apr 29, 2010 15:13    Post subject: Reply with quote
dellsweig wrote:
barryware wrote:
is there some kind of "show" command that will tell you (us) what the max udp packet size is now in dd-wrt?


It does not appear to be related to max UDP packet size - that is determined by the MTU setting - it is actually the max allowed in a DNS response


Reading the last link you provided, that is what I meant..

_________________
[Moderator Deleted] Shocked
LOM
DD-WRT Guru


Joined: 28 Dec 2008
Posts: 7631

PostPosted: Thu Apr 29, 2010 16:30    Post subject: Re: DNSSEC - does this effect dd-wrt? Reply with quote
dellsweig wrote:

Well - anyone?? Will DD-WRT (both standard dns and dnsMasq) have any issues with this??



Only if you pull your DNS records from one of the 13 DNS root servers or their mirrors.

This is a change from ISP's and up in the chain, the ISP's will continue with the old DNS protocl downwards to their users. No hacker is interested in spoofing that communication.

_________________
Kernel panic: Aiee, killing interrupt handler!
dellsweig
DD-WRT Guru


Joined: 07 Jun 2006
Posts: 1476
Location: New York, USA

PostPosted: Thu Apr 29, 2010 17:01    Post subject: Re: DNSSEC - does this effect dd-wrt? Reply with quote
LOM wrote:
dellsweig wrote:

Well - anyone?? Will DD-WRT (both standard dns and dnsMasq) have any issues with this??



Only if you pull your DNS records from one of the 13 DNS root servers or their mirrors.

This is a change from ISP's and up in the chain, the ISP's will continue with the old DNS protocl downwards to their users. No hacker is interested in spoofing that communication.


Many of us are pulling from DNS servers other than what our ISP provides - for various reasons.

My concern here was that DNSmasq is up to date so as to be able to handle both the additioal flags and packet size.

If you follow the following article

http://download.nominet.org.uk/dnssec-cpe/DNSSEC-CPE-Report.pdf

What you say is not entirely true and SOHO and User routers CAN be effected
LOM
DD-WRT Guru


Joined: 28 Dec 2008
Posts: 7631

PostPosted: Thu Apr 29, 2010 17:29    Post subject: Reply with quote
dellsweig wrote:


Many of us are pulling from DNS servers other than what our ISP provides - for various reasons.


I doubt that your are pulling from a server that will force you to use DNSSec for pulling records.

If you are in charge of the DNS for a domain with sub domains and have to send NDS updates to a higher level DNS server, then you may be in trouble.
But I don't expect anyone to do that from a SOHO router.

You'll have to look at what problem DNSSec was intended to solve, then you'll also understand that this is not going to effect any end users.

_________________
Kernel panic: Aiee, killing interrupt handler!
albatross83
DD-WRT Novice


Joined: 23 Aug 2009
Posts: 6

PostPosted: Tue Oct 26, 2010 0:28    Post subject: Reply with quote
LOM wrote:
I doubt that your are pulling from a server that will force you to use DNSSec for pulling records.


Any new info on whether dd-wrt supports DNSSEC? I couldn't find anything other than this post.

Comcast is now forcing DNSSEC on non-"Domain Helper" DNS servers, and will remove the Domain Helper program in 2011 and force DNSSEC on all remaining servers.
LOM
DD-WRT Guru


Joined: 28 Dec 2008
Posts: 7631

PostPosted: Tue Oct 26, 2010 3:41    Post subject: Reply with quote
albatross83 wrote:
LOM wrote:
I doubt that your are pulling from a server that will force you to use DNSSec for pulling records.


Any new info on whether dd-wrt supports DNSSEC? I couldn't find anything other than this post.

Comcast is now forcing DNSSEC on non-"Domain Helper" DNS servers, and will remove the Domain Helper program in 2011 and force DNSSEC on all remaining servers.


Well, how does this effect dd-wrt?

_________________
Kernel panic: Aiee, killing interrupt handler!
ccdoggy
DD-WRT User


Joined: 30 Aug 2009
Posts: 455

PostPosted: Tue Oct 26, 2010 6:10    Post subject: Reply with quote
LOM wrote:
albatross83 wrote:
LOM wrote:
I doubt that your are pulling from a server that will force you to use DNSSec for pulling records.


Any new info on whether dd-wrt supports DNSSEC? I couldn't find anything other than this post.

Comcast is now forcing DNSSEC on non-"Domain Helper" DNS servers, and will remove the Domain Helper program in 2011 and force DNSSEC on all remaining servers.


Well, how does this effect dd-wrt?


I do not know any specifics of this change but I cannot imagine that they would take it to the home level for a very very long time. just between core DNS servers and ISP servers between each other. Home DNS connections will not use it.

Think about it, they would basically render the internet useless to hundreds of millions of people if they required everyone to use this. Comcast just appears to be applying security throughout their DNS servers to further secure it.

It will only effect DNS servers, I dont think we need to worry about it at all. They must be working on it (ISPs, openDNS, googleDNS,...).

_________________
WNDR3700 moved to openwrt
- my Wireless settings which (300 on 5.0) Wireless Config

Atheros wireless settings Here

WNDR3700 Wiki

OpenVPN configuration I have refined: OpenVPN Config

ALL WNDR3700 users please fill out this short Poll
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum