All this talk of spoofing attacks got me to get off my duff and
configure dnssec for the ~dozen zones I'm authoritative for. Sadly it
looks like that dozen may have put a noticeable blip into the number
of production zones using dnssec. (ref: [url]http://secspider.cs.ucla.edu/[/url]
-- 970 production zones using both ksk's and zsk's, 10,552 if you also
count the zones that only use one key etc.) Sigh. Seeing how there are
over 100M domains in existence this isn't a very high percentage.
The question is, what is the hang up? Are the computational resources
needed much higher? Does the added dnssec traffic cause a significant
increase in bandwidth? Short of moving to Sweden, are there any TLD's
that will sign one's dnssec records today? A quick check seemed to
indicate that most promising candidate is "org.", but that won't be
open to the general public till 2010 according to their timetable.
The others don't seem to even have a public timetable. A quick trip
to the ARIN website doesn't show anything promising there either. I
guess I really didn't want to register my rDNS keys after all.
Is there something a lowly end-user should be doing to make this all
Wolfgang S. Rupprecht [url]http://www.wsrcc.com/wolfgang/[/url]
"Wolfgang S. Rupprecht" <email@example.com> wrote in
> All this talk of spoofing attacks got me to get off my duff and
> configure dnssec for the ~dozen zones I'm authoritative for. Sadly it ...
> The question is, what is the hang up?[/color]
A good, secondary reason is that the cost of authentication is privacy. The
implementation basically reveals the full contents of a zone, and some
people just don't like that.
A third reason is that not enough of the process is automated. Too much of
it must be manually performed.
On Sat, Jul 26, 2008 at 09:00:49PM -0700,
D. Stussy <firstname.lastname@example.org> wrote
a message of 15 lines which said:
> > The question is, what is the hang up?[/color]
> A good, secondary reason is that the cost of authentication is privacy. The
> implementation basically reveals the full contents of a zone,[/color]
This is solved by NSEC 3 (RFC 5155), which will be in the next BIND
In the mean time, you can always use rate-limiting and walk-detection
techniques. ".se" apparently use them, I cannot enumerate the zone.