PDF《Test Report:》

s participation in this study was supported by Shinkuro, Inc., The Internet Society, ICANN, and Afilias, Ltd. The results reported here are the work of Core Competence and Nominet UK, and do not necessarily reflect the views of the sponsors. In addition, the authors would like to thank Patrik Wallstr?m, Joakim ?hlund, and Roy Arends for their assistance during test development. Test Report: DNSSEC Impact on Broadband Routers and Firewalls September,

2008 Version 1.0 Page

4 2. Test Methodology All DNS queries were executed twice. In the first pass queries were addressed to an upstream DNSSEC-aware recursive resolver to verify that DNS packets could be routed transparently. For the second pass queries were addressed directly to the unit under test to exercise router/firewall DNS proxies. These DNS usage styles are referred to throughout this report as route mode and proxy mode, respectively. Nearly all upstream tests were successful;

most of our findings pertain to problems with DNS proxy handling of DNSSEC queries and the lengthy responses they can generate. To determine where and how these problems occur, we examined the following cases. 2.1 Test Cases T) TCP/IP Compatibility: Can the unit route or proxy DNS queries to a DNSSEC-aware resolver over TCP? DNSSEC responses may not fit into one 512-byte UDP packet. When UDP queries fail, clients may revert automatically to TCP. Where both TCP and EDNS0 are not supported, DNS queries on signed domains may fail. To avoid orthogonal fail-overs during later tests, we determined TCP and UDP support at test start. We then conducted all DNSSEC tests over ........