dnssec - DNS

This is a discussion on dnssec - DNS ; All this talk of spoofing attacks got me to get off my duff and configure dnssec for the ~dozen zones I'm authoritative for. Sadly it looks like that dozen may have put a noticeable blip into the number of production ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: dnssec

  1. dnssec


    All this talk of spoofing attacks got me to get off my duff and
    configure dnssec for the ~dozen zones I'm authoritative for. Sadly it
    looks like that dozen may have put a noticeable blip into the number
    of production zones using dnssec. (ref: http://secspider.cs.ucla.edu/
    -- 970 production zones using both ksk's and zsk's, 10,552 if you also
    count the zones that only use one key etc.) Sigh. Seeing how there are
    over 100M domains in existence this isn't a very high percentage.

    The question is, what is the hang up? Are the computational resources
    needed much higher? Does the added dnssec traffic cause a significant
    increase in bandwidth? Short of moving to Sweden, are there any TLD's
    that will sign one's dnssec records today? A quick check seemed to
    indicate that most promising candidate is "org.", but that won't be
    open to the general public till 2010 according to their timetable.
    The others don't seem to even have a public timetable. A quick trip
    to the ARIN website doesn't show anything promising there either. I
    guess I really didn't want to register my rDNS keys after all.

    Is there something a lowly end-user should be doing to make this all
    work?

    -wolfgang
    --
    Wolfgang S. Rupprecht http://www.wsrcc.com/wolfgang/


  2. Re: dnssec

    "Wolfgang S. Rupprecht" wrote in
    message news:g6d760$2b1m$1@sf1.isc.org...
    > All this talk of spoofing attacks got me to get off my duff and
    > configure dnssec for the ~dozen zones I'm authoritative for. Sadly it ...
    >
    > The question is, what is the hang up?


    A good, secondary reason is that the cost of authentication is privacy. The
    implementation basically reveals the full contents of a zone, and some
    people just don't like that.

    A third reason is that not enough of the process is automated. Too much of
    it must be manually performed.




  3. Re: dnssec

    On Sat, Jul 26, 2008 at 09:00:49PM -0700,
    D. Stussy wrote
    a message of 15 lines which said:

    > > The question is, what is the hang up?

    >
    > A good, secondary reason is that the cost of authentication is privacy. The
    > implementation basically reveals the full contents of a zone,


    This is solved by NSEC 3 (RFC 5155), which will be in the next BIND
    (9.6).

    In the mean time, you can always use rate-limiting and walk-detection
    techniques. ".se" apparently use them, I cannot enumerate the zone.


+ Reply to Thread