.@ Tony Finch – blog

If you are a DNS, network, or firewall operator, you need to be aware that the root zone of the DNS is going to be signed with DNSSEC in stages during the first half of 2010.

You need to ensure that any packet filters between your recursive DNS resolvers and the public Internet do not block UDP DNS packets larger than 512 bytes, and that they do not block fragmented UDP packets, and that they do not block ICMP "fragmentation needed" packets, and that they do not block DNS-over-TCP.

The reason for this is that DNSSEC makes DNS packets larger, since as well as the answer they must also contain a cryptographic proof that the answer is correct. Misconfigurations that are benign with insecure DNS can cause problems with the move towards DNSSEC. The DNS Operations and Analysis Research Centre has a reply size tester which you can use to check that your systems are compatible with large DNS reply packets.

See these presentation slides for some details on the process of signing the root zone. See this blog post from RIPE, operators of the K root server, for some information about how they are preparing for the change.

ICANN have published a paper about the predicted effects of DNSSEC on broadband routers and firewalls. Gaurab Raj Upadhaya has published a few slides about EDNS0, the DNS extension protocol that enables large packets.

Please go out and check your DNS resolvers before they break!