Skip to main content

SAC 035 | Executive Summary of Test Report: DNSSEC Impact on Broadband Routers and Firewalls

[PDF, 391 KB]

During July and August 2008, Core Competence and Nominet UK, the registry for .UK, collaborated to assess the impact of DNSSEC on residential Internet router and SOHO firewall devices commonly used with broadband access services. Shinkuro, Inc., The Internet Society, ICANN, and Afilias, Ltd supported core Competence’s participation in this study.

Two dozen residential Internet router and SOHO firewall devices commonly used with broadband services were tested under closed controlled test beds to determine whether each unit correctly routes or proxies:

  • DNS queries requiring TCP or EDNS0 to convey lengthy DNSSEC responses
  • Non-DNSSEC queries on signed and unsigned domains
  • Non-DNSSEC queries that set other DNSSEC-related request flags
  • DNSSEC queries that request server-side validation
  • DNSSEC queries that request no server-side validation

Published market research, broadband provider websites, and retail "best seller" lists were to identify the most widely deployed equipment supplied by broadband providers, or purchased by consumers and organizations for Small and Home Office networks.

The summary of findings is reproduced here:

  • All 24 units could route DNSSEC queries addressed to upstream resolvers (referred to herein as route mode) without size limitations.
  • 22 units could proxy DNS queries addressed directly to them (referred to herein as proxy mode), with varying degrees of success.
  • 6 of 22 DNS proxies had difficulty with DNSSEC-related flags and/or validated responses that effectively prevented DNSSEC use in proxy mode.
  • 16 of 22 DNS proxies could successfully pass DNSSEC queries and return validated responses of some size.
  • 18 DNS proxies limited responses over UDP to either 512 bytes or a size constrained by the MTU. Only 4 could return responses over UDP up to 4096 bytes, while just 1 could proxy DNS over TCP (no size limit). Such limits can interfere with returning longer DNSSEC responses.
  • When deployed with factory defaults, 15 units are likely to be used as DNS proxies, while 3 always route DNS queries. The rest (6) vary over time, preferring to route DNS after being connected to a WAN.

The report concludes that that only 6 units (25%) operate with full DNSSEC compatibility using the default or "out of the box" configuration. Nine (9) units (37%) can be reconfigured to bypass DNS proxy incompatibilities. The remaining percent of units (38%) lack reconfigurable DHCP DNS parameters, making it harder for LAN clients to bypass their interference with DNSSEC use.

The report offers several, additional, significant conclusions:

  • domain signing will have no impact on broadband consumers that do not use DNSSEC
  • consumers are encouraged to upgrade to the latest firmware for the products they operate to assure they become DNSSEC-ready at the earliest opportunity
  • manufacturers are encouraged to avoid further implementation delay to ease the introduction of DNSSEC. (Note: Several technical recommendations accompany this conclusion and all merit the manufacturers’ attention.)
  • manufacturers are also encouraged to consider additional DNS security measures; specific emphasis is placed on removing open resolver, cache poisoning and source spoofing vulnerabilities

Per unit test results have been made available along with the report.

Domain Name System
Internationalized Domain Name ,IDN,"IDNs are domain names that include characters used in the local representation of languages that are not written with the twenty-six letters of the basic Latin alphabet ""a-z"". An IDN can contain Latin letters with diacritical marks, as required by many European languages, or may consist of characters from non-Latin scripts such as Arabic or Chinese. Many languages also use other types of digits than the European ""0-9"". The basic Latin alphabet together with the European-Arabic digits are, for the purpose of domain names, termed ""ASCII characters"" (ASCII = American Standard Code for Information Interchange). These are also included in the broader range of ""Unicode characters"" that provides the basis for IDNs. The ""hostname rule"" requires that all domain names of the type under consideration here are stored in the DNS using only the ASCII characters listed above, with the one further addition of the hyphen ""-"". The Unicode form of an IDN therefore requires special encoding before it is entered into the DNS. The following terminology is used when distinguishing between these forms: A domain name consists of a series of ""labels"" (separated by ""dots""). The ASCII form of an IDN label is termed an ""A-label"". All operations defined in the DNS protocol use A-labels exclusively. The Unicode form, which a user expects to be displayed, is termed a ""U-label"". The difference may be illustrated with the Hindi word for ""test"" — परीका — appearing here as a U-label would (in the Devanagari script). A special form of ""ASCII compatible encoding"" (abbreviated ACE) is applied to this to produce the corresponding A-label: xn--11b5bs1di. A domain name that only includes ASCII letters, digits, and hyphens is termed an ""LDH label"". Although the definitions of A-labels and LDH-labels overlap, a name consisting exclusively of LDH labels, such as"""" is not an IDN."