DNSSEC Enabled Root Hints and the impact on us

I need to blog about this because there is a lot of misunderstanding about the Impact of DNSSEC on the Root hints. People might be concerned after reading articles such as the one below, that seem to sensationalize the situation:

Warning: Why your Internet might fail on May 5,


  • DNSSEC will be fully enabled on all Root Hints on 1st of July 2010
  • Enabling DNSSEC on the root servers should not have any catastrophic effect on Windows 2003 R2/SP2 or Windows XP (or 2008/R2/Vista/7). 
  • Everything pre-2008R2/W7 is pretty much DNSSEC-unaware and should not have any interoperability problems. 

Per  http://www.root-dnssec.org/2010/05/05/status-update/  DNSSEC was originally enabled on 2010.01.27 and has been systematically enabled on additional root zone servers during the months of February, March and April 2010. We did not face any issues in the 4 Month of the implementation and neither our customers. At the point when twelve of the thirteen root servers had been transitioned to the DURZ (on the 5th of May 2010), no harmful effected had been identified. 

Had the enabling of DNSSEC on root zone DNS Servers caused a problem, it would have been observed long before the enabling of DNSSEC on the last of 13 root zones. As of 2010.05.07, no verifiable problems have been identified the enabling of DNSSEC on root zones. 

Another very important fact we must consider is that the feature to Query DNSSEC is only enabled by callers (DNS Servers) that request DNSSEC. Enabling DNSSEC on a target server, such as those hosting root zones, does not change anything in the DNS response to callers that do not request DNSSEC. Servers and clients who send “regular” DNS requests to the root servers do not have to make any changes. 

There is no need that you enable DNSSEC or EDNS on your DNS Servers because this Feature is present on the DNS Root Hints. Even if you enable it with the intention to use it, your firewalls must be reconfigured to let the bigger DNS Packets through, as well as your ISP and his Upstream Provider must also be able to pass the bigger DNS Packets through the routers all the way up to the root hints. If the whole Network Path cannot let the Packets pass it won’t work. This scenario is similar with the max Path MTU Size on a network.

More information on the root DNSSEC initiative can be found here:

Latest Update is here:

We will follow-up on the new DNSSEC feature in one of the future Blog articles.

Skip to main content