[Apologies in advance if you have received similar message coming from a different mailing list] The purpose of this email is to raise awareness of the root zone signing that is currently taking place. During the first half of 2010 the DNS root servers will incrementally deploy DNSSEC by introducing a signed root zone. This change aims to provide more confidence in DNS responses by adding signatures that can be validated, with the side effect of responses becoming larger in size. Originally the DNS protocol considered a response to be sent using UDP if it fits in a 512-byte packet, if not a signal is sent back to the requestor to retry using TCP. In 1999, RFC 2671 extended this limit up to 64k but in practice is 4096 bytes, allowing a client to signal the ability to receive a larger response by UDP. Despite the support for larger responses, there are firewalls and network equipment that, by design or configuration, does not allow DNS responses larger than 512 bytes. Another issue observable is by equipment able to handle the responses but failing to handle IP fragments, limiting the effective limit to the size of the local MTU (for Ethernet networks, 1500 bytes). According to the plan published by the DNS root servers operators at http://www.root-dnssec.org/ the deployment will be completed in May 2010. By that time if a network is unable to receive larger responses, they will perceive an "Internet blackout". The deployment has already started and root servers A, L, M and I are currently serving a signed zone. The critical point for New Zealand could be when F and J root servers deploy given their local presence. NZRS recommends that users and operators should check the ability of their networks to receive such larger packets. o do so, you can use: 1. From a machine with the tool *dig* installed run dig +short rs.dns-oarc.net txt this will test the ability of your configured resolver to receive large packets. For details on what to expect from the response and more information about this tool, please check: https://www.dns-oarc.net/oarc/services/replysizetest 2. You can use the tool developed by RIPE NCC to run similar test (requires Java). http://labs.ripe.net/content/testing-your-resolver-dns-reply-size-issues NOTE: This is also valid with the signed .ARPA zone announced by Joe Abley recently on this mailing list. .nz Registry Services PO Box 24361 Wellington New Zealand e support(a)nzrs.net.nz p 64 4 931 6970 f 64 4 931 6979 w www.nzrs.net.nz