Possible DNS outage May 5

[Guest]

[npeterson]

On May 5 the top level dns servers will be signed with dnssec. This is a good thing for the internet, but may be a bad thing for endian users.

Endian uses dnsmasq to proxy dns requests from internal to external. However it appears dnsmasq does not support edns replys. This means come may 5 dnsmasq may not be able interpret dns requests from the root name servers.

Here is a site that explains the issue and has a test to check compatibility: https://www.dns-oarc.net/oarc/services/replysizetest

My test failed..

Normally i wouldn't worry and just kill dnsmasq, however it appears that endian will not let  dnsmasq die and will auto-restart it. On top of that it appears that even if you have dns transparent proxy and dns anti-malware disabled,  it does not disable the dns hijacking, and filters everything through dnsmasq.

I have opened 2 new endian bug reports:
dnsmasq does not support edns and cannot bypass - http://bugs.endian.it/view.php?id=2888
Cannot disable dnsmasq for direct root server access.  - http://bugs.endian.it/view.php?id=2889

Can anyone else confirm these results?

[wharfratjoe]

How did you perform these tests on endian? dig and nslookup are not included in endian (as far as I can see)

http://fedoraproject.org/wiki/Features/DNSSEC#How_to_Test