Announcement: Test Report on DNSSEC impact on SOHO CPE
[with apologies for the cross-postings to multiple lists] Dear Colleagues, We would like to announce the publication of a joint study entitled "DNSSEC Impact on Broadband Routers and Firewalls", available for download at: http://download.nominet.org.uk/dnssec-cpe/DNSSEC-CPE-Report.pdf In summary (based on 24 tested units): "... we conclude that just 6 units (25%) operate with full DNSSEC compatibility "out of the box." 9 units (37%) can be reconfigured to bypass DNS proxy incompatibilities. Unfortunately, the rest (38%) lack reconfigurable DHCP DNS parameters, making it harder for LAN clients to bypass their interference with DNSSEC use. These findings, their potential impact on DNSSEC use by broadband consumers, and implications for router/firewall manufacturers, are presented and analyzed in this report. " Ray Bellis Senior Researcher in Advanced Projects Nominet UK Lisa A. Phifer President, Core Competence, Inc.
On Mon, 15 Sep 2008, Ray.Bellis@nominet.org.uk wrote:
In summary (based on 24 tested units):
"... we conclude that just 6 units (25%) operate with full DNSSEC compatibility "out of the box." 9 units (37%) can be reconfigured to bypass DNS proxy incompatibilities. Unfortunately, the rest (38%) lack reconfigurable DHCP DNS parameters, making it harder for LAN clients to bypass their interference with DNSSEC use.
Wow. So nothing much changed in almost a year, when this issue was first found by .SE. I was hoping that modern DSL/wifi routers which supports 802.11n would have had fixed their firmware by now.
These findings, their potential impact on DNSSEC use by broadband consumers, and implications for router/firewall manufacturers, are presented and analyzed in this report. "
The report is excellent. Thank you very much for sharing it with us. I have two questions. 1) Vendor actions What are the vendor status and/or responses? Were they contacted? did they respond? Are they planning updates? 2) base OS? Is there a similarity in these firmwares? eg are they using the same DNS software inside? Perhaps the vendors are not the people we should be talking to? For instance, many Linux based routers use the "dnsmasq" software. Depending on its status, it might be worth contacting the upstream software provider of the commercial router vendors. Paul
The report is excellent. Thank you very much for sharing it with us.
You're welcome :)
I have two questions.
1) Vendor actions
What are the vendor status and/or responses? Were they contacted? did they respond? Are they planning updates?
We did contact vendor technical support, in particular to determine whether any work-arounds exist on those routers that don't appear to allow the DNS settings in the DHCP server to be changed. However attempts to reach product management types to talk about implementation issues were generally fruitless. I did manage to report my findings to Zyxel UK through an existing contact, though. I'm hoping that some of the vendors will get in touch with me, now that the report is published.
2) base OS?
Is there a similarity in these firmwares? eg are they using the same DNS software inside? Perhaps the vendors are not the people we should be talking to? For instance, many Linux based routers use the "dnsmasq" software. Depending on its status, it might be worth contacting the upstream software provider of the commercial router vendors.
We didn't see any direct evidence of shared code between vendors. We did see some quirks that might suggest commonality (e.g. NAT tranlation failures) but didn't look for anything to prove a link. kind regards, Ray -- Ray Bellis, MA(Oxon) Senior Researcher in Advanced Projects, Nominet e: ray@nominet.org.uk, t: +44 1865 332211
participants (2)
-
Paul Wouters -
Ray.Bellis@nominet.org.uk