Maintained by: NLnet Labs

Can DNSSEC resolvers pass through all mangling CPEs?

Rick van Rein
Tue Dec 29 12:18:58 CET 2015


We are seeing more DNSSEC all the way to the desktop, thanks to NLnet
Labs products like libunbound and GetDNS.  Hooray!

What I am wondering is, if this also resolves all issues relating to
NAT/firewall traversal of DNS.  Quite a few CPE boxes are known to
mangle DNS traffic under their default settings, and I am not sure if
this is only the case when passing through their builtin DNS proxy
service, or also when someone addresses port 53 (UDP, TCP, or both).

This matter of CPE mangling also comes up in relation to new RRtypes
that might be added to DNS; I wonder if that would be resolved by
local-machine recursive resolvers.

What is the experience with users and of NLnet Labs with CPE traversal
by recursive resolvers?