According to VeriSign, there has been no serious problems with its ongoing deployment of DNS Security Extensions (DNSSEC) on the Internet’s root servers and on the top-level domain servers that it operates. According to the report on Network World, VeriSign says the only difficulty with its DNSSEC deployments was on some legacy hardware and software such as firewalls and load balancers that can’t handle the larger packets that are sent with DNSSEC.
“The only difficulty that VeriSign has run into with its DNSSEC deployments is that some legacy hardware and software such as firewalls and load balancers can’t handle the larger packets that are sent with DNSSEC.
“‘DNSSEC-enabled traffic is slightly different than the DNS traffic we’ve had in the past. The packets are larger…Based on anecdotal information, there are some pieces of equipment that have issues with this,’ Larson says, pointing out that some network gear has default configurations limiting DNS packets to 512 bytes whereas DNSSEC packets can be as large as 4KB.”