SAC 035 | Executive Summary of Test Report: DNSSEC Impact on Broadband Routers and Firewalls
[PDF, 391 KB]
During July and August 2008, Core Competence and Nominet UK, the registry for .UK, collaborated to assess the impact of DNSSEC on residential Internet router and SOHO firewall devices commonly used with broadband access services. Shinkuro, Inc., The Internet Society, ICANN, and Afilias, Ltd supported core Competence’s participation in this study.
Two dozen residential Internet router and SOHO firewall devices commonly used with broadband services were tested under closed controlled test beds to determine whether each unit correctly routes or proxies:
- DNS queries requiring TCP or EDNS0 to convey lengthy DNSSEC responses
- Non-DNSSEC queries on signed and unsigned domains
- Non-DNSSEC queries that set other DNSSEC-related request flags
- DNSSEC queries that request server-side validation
- DNSSEC queries that request no server-side validation
Published market research, broadband provider websites, and retail "best seller" lists were to identify the most widely deployed equipment supplied by broadband providers, or purchased by consumers and organizations for Small and Home Office networks.
The summary of findings is reproduced here:
- All 24 units could route DNSSEC queries addressed to upstream resolvers (referred to herein as route mode) without size limitations.
- 22 units could proxy DNS queries addressed directly to them (referred to herein as proxy mode), with varying degrees of success.
- 6 of 22 DNS proxies had difficulty with DNSSEC-related flags and/or validated responses that effectively prevented DNSSEC use in proxy mode.
- 16 of 22 DNS proxies could successfully pass DNSSEC queries and return validated responses of some size.
- 18 DNS proxies limited responses over UDP to either 512 bytes or a size constrained by the MTU. Only 4 could return responses over UDP up to 4096 bytes, while just 1 could proxy DNS over TCP (no size limit). Such limits can interfere with returning longer DNSSEC responses.
- When deployed with factory defaults, 15 units are likely to be used as DNS proxies, while 3 always route DNS queries. The rest (6) vary over time, preferring to route DNS after being connected to a WAN.
The report concludes that that only 6 units (25%) operate with full DNSSEC compatibility using the default or "out of the box" configuration. Nine (9) units (37%) can be reconfigured to bypass DNS proxy incompatibilities. The remaining percent of units (38%) lack reconfigurable DHCP DNS parameters, making it harder for LAN clients to bypass their interference with DNSSEC use.
The report offers several, additional, significant conclusions:
- domain signing will have no impact on broadband consumers that do not use DNSSEC
- consumers are encouraged to upgrade to the latest firmware for the products they operate to assure they become DNSSEC-ready at the earliest opportunity
- manufacturers are encouraged to avoid further implementation delay to ease the introduction of DNSSEC. (Note: Several technical recommendations accompany this conclusion and all merit the manufacturers’ attention.)
- manufacturers are also encouraged to consider additional DNS security measures; specific emphasis is placed on removing open resolver, cache poisoning and source spoofing vulnerabilities
Per unit test results have been made available along with the report.