in May 5th by ICANN, the world’s 13 root name servers will be the United States government and led by Verisign (Domain Name System DNSSEC in security Security Extensions, domain name system extension) upgrade, DNSSEC upgrade will be inserted into the digital signature in the feedback to the Internet user’s DNS request response, to ensure that the domain name address is returned without tampering.
DNSSEC is designed to prevent man in the middle attack, the man in the middle attack, hackers can hijack DNS requests, and returns a false address to the requesting party, this attack method is similar to the normal DNS redirection, it was transferred to another URL imperceptibly.
Melbourne IT, chief strategy officer, ICANN director Bruce Tonkin said that this upgrade will give those unprepared for the network administrator of a standard DNS request response to be taken by surprise, often only a single packet (UDP protocol), the size is generally not more than 521 bytes, in some older network equipment, the request will be bigger than this is the factory default configuration block, it will think over the size of the data packet is abnormal.
UTC 17:00 on May 5th, all sent to the DNSSEC user signature DNS parser news will be up to 2KB, is 4 times the original, but such a large packet may be many network equipment to reject, therefore the response message is likely to send packets through the TCP into a plurality of data.
Tonkin was a little worried, although DNSSEC has provided a time schedule, but many IT and network administrators have not tested their old router and firewall, if not greater DNS response packet is in trouble.
, he said: "the device in the enterprise network may block the DNS request response packet than ever before".
DNSSEC in November 2009 in the world’s 13 root server is ready, so far, it will only lead to a lot of old network devices loaded on the web a slight delay.
not all DNS root servers will respond to each request, the DNS parser on the user machine will request the 13 root servers one by one until a satisfactory reply is returned. When the 13 DNSSEC signature with all the root servers on the line, all of the responses will not reach the old device enterprise network, Tonkin hope that large ISP can solve this problem, so that home users are not affected.
he said: "I can not guarantee that all ISP are ready, ISP will translate for you DNS, but the enterprise network may be relatively large, because the enterprise may run its own DNS server".