From a network perspective, DNS and DNSSEC packets are very similar,
DNSSEC packets are just bigger, which means DNS is more likely to use TCP. You
should test for the following two items, to make sure your network is ready
for DNSSEC:
- DNS over TCP: Verify network connectivity
over TCP port 53, this may mean updating firewall policies or Access
Control List (ACL) on routers. See the section called “Wait... DNS Uses TCP?” more
details.
- Large UDP packets: Some network equipment such as
firewalls may make assumptions about the size of DNS UDP packets and incorrectly
reject DNS traffic that appears "too big". You should verify that the
responses your nameserver generates are being seen by the rest
of the world. See the section called “What's EDNS All About (And Why Should I Care)?” for
more details.
Gab
Twitter