Firms Tackle Security Flaw In Web Addressing System
Mark Andrews
Mark_Andrews at isc.org
Fri Jul 11 14:25:34 UTC 2008
> > DNSSEC is NOT complex to deploy. There is NOT a steep
> > learning curve. And while DNSSEC does use more resourse
> > most nameservers could turn it on and not notice.
> >
> > http://www.isc.org/sw/bind/docs/DNSSEC_in_6_minutes.pdf
> >
> > I've helped teach DNSSEC to engineers who have never run a
> > nameserver until a few days before.
>
> Well, maybe I'm a moron then because I couldn't even read your (ISC's)
> 77 page document in 6 minutes let alone learn it well enough
> to feel confident I understood it. And then for us to implement
> it for 1500 zones on 11 servers is a whole 'nother kettle of fish.
Do it one zone at a time if you want. You can mix and
match. Just make sure all the servers for the zone have
DNSSEC enabled.
> One thing that did catch my eye was, in your example, signing the
> zone file caused it grow 11-fold (2378 bytes -> 26970 bytes).
> Is this typical? Can we expect our ~GB of zone data to become 11GBs?
> Is there then a corresponding increase in network traffic?
The growth depends on the key size, average number of records
in a RRset and other factors.
As for network traffic their is not a significant increase
in packet numbers though the size of the packets definitely
increases. Most responses still fit in a single Ethernet
packet.
e.g.
; <<>> DiG 9.3.4-P1 <<>> +dnssec mx isc.org
;; MSG SIZE rcvd: 1268
; <<>> DiG 9.3.4-P1 <<>> mx isc.org
;; MSG SIZE rcvd: 255
> Also as a "NetReg" site we are heavily into dynamic dns update - how,
> if at all, is that effected?
For BIND 9.5 you need to freeze once a periodically to
re-sign records that have not been re-signed as part of the
update process. BIND 9.6 will re-sign the zone as needed.
The later works well. I havn't had to manually sign my zones
for months.
> Further we are also a Hesiod site -- any implications there?
None.
> Finally, is there a list of the tlds (.edu, .org, .net, .com, etc)
> doing DS records at this point?
SE, BR, BG and PR are all signing their zones.
RIPE's IN-ADDR.ARPA and IP6.ARPA zones are signed.
ORG is in the process of getting setup.
In the mean time you can register in a DLV registry if your
tld hasn't deployed DNSSEC.
Mark
> Thanks,
> John
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list