Firms Tackle Security Flaw In Web Addressing System

Mark Andrews Mark_Andrews at isc.org
Fri Jul 11 14:25:34 UTC 2008 

> > 	DNSSEC is NOT complex to deploy.  There is NOT a steep
> > 	learning curve.  And while DNSSEC does use more resourse
> > 	most nameservers could turn it on and not notice.
> > 
> > 	http://www.isc.org/sw/bind/docs/DNSSEC_in_6_minutes.pdf
> > 
> > 	I've helped teach DNSSEC to engineers who have never run a
> > 	nameserver until a few days before.
> 
> Well, maybe I'm a moron then because I couldn't even read your (ISC's)
> 77 page document in 6 minutes let alone learn it well enough
> to feel confident I understood it.  And then for us to implement
> it for 1500 zones on 11 servers is a whole 'nother kettle of fish.

	Do it one zone at a time if you want.  You can mix and
	match.  Just make sure all the servers for the zone have
	DNSSEC enabled.
 
> One thing that did catch my eye was, in your example, signing the
> zone file caused it grow 11-fold (2378 bytes -> 26970 bytes).
> Is this typical?  Can we expect our ~GB of zone data to become 11GBs?
> Is there then a corresponding increase in network traffic?

	The growth depends on the key size, average number of records
	in a RRset and other factors.

	As for network traffic their is not a significant increase
	in packet numbers though the size of the packets definitely
	increases.  Most responses still fit in a single Ethernet
	packet.

	e.g.
		; <<>> DiG 9.3.4-P1 <<>> +dnssec mx isc.org
		;; MSG SIZE  rcvd: 1268

		; <<>> DiG 9.3.4-P1 <<>> mx isc.org
		;; MSG SIZE  rcvd: 255
 
> Also as a "NetReg" site we are heavily into dynamic dns update - how,
> if at all, is that effected?

	For BIND 9.5 you need to freeze once a periodically to
	re-sign records that have not been re-signed as part of the
	update process.  BIND 9.6 will re-sign the zone as needed.
	
	The later works well.  I havn't had to manually sign my zones
	for months.
 
> Further we are also a Hesiod site -- any implications there?

	None.
 
> Finally, is there a list of the tlds (.edu, .org, .net, .com, etc)
> doing DS records at this point?

	SE, BR, BG and PR are all signing their zones.
	RIPE's IN-ADDR.ARPA and IP6.ARPA zones are signed.
	ORG is in the process of getting setup.

	In the mean time you can register in a DLV registry if your
	tld hasn't deployed DNSSEC.

	Mark

> Thanks,
> John
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the bind-users mailing list