DNSSEC - how useful is it ?

Roy Arends Roy.Arends at nominum.com
Sat Jun 16 19:47:25 UTC 2001


On Sat, 16 Jun 2001, Ethan Lee wrote:

> Hi all,
> 
> I read about DNSSEC but wonder how useful is it ? It seems that Dr.
> Bernstein in his article, as I understand it says that DNSSEC isn't that
> useful since Network Solutions does not sign all .com DNS records. So my
> question is how is DNSSEC being used currently and for what purpose ?

Yeah, well, I read that article too, and the article is simply FUD. 

DNSSEC are simply a few extensions to the current DNS standards. It allows
for server authentication (using TSIG) and data integrity. 

TSIG can be used for authentication between primary masters and
secondaries (for instance). The new resource records (KEY/SIG/NXT) can be
used to store cryptographic material (and NXT for authenticated denial of
existence).  There are also CERT record types to put Certificates in the
DNS. Any zone that does not use DNSSEC is simply spoofable. Any resolver
that has not authentication built in it can simply be misled. Any cache
that does not verify signatures can be poisened.

To my knowledge, D.J. Bernstein is not a authority on what Network
Solutions will or will not do (nor am I for that matter).

In the article D.J. Bernstein talks about NYM. Where is it ? Does his
software use it ? Is anyone already using it ? Where can anyone find
standards ? Is there a proposal ?

In the 4th edition of DNS & Bind, the DNSSEC extensions and how to use
them within Bind 9, are described. Chapter 11 of the book is still
available on-line at O'reilly:

http://www.oreilly.com/catalog/dns4/chapter/ch11.html#38934

Regards,

Roy Arends
Nominum



More information about the bind-users mailing list