The worst thing about the exploit -- Have you done your part?

Mark Andrews Mark_Andrews at isc.org
Tue Jul 29 09:31:52 UTC 2008


> On Sat, 26 Jul 2008, Alan Clegg wrote:
> 
> > Date: Sat, 26 Jul 2008 11:41:10 -0400
> > From: Alan Clegg <Alan_Clegg at isc.org>
> > To: Ben Croswell <ben.croswell at gmail.com>, DNS BIND <bind-users at isc.org>
> > Subject: Re: The worst thing about the exploit -- Have you done your part?
> > 
> > Ben Croswell wrote:
> >> I also see a lot of people calling for DNSSEC to fix the underlying
> >> issue, but unless I am mistaken DNSSEC won't fix the issue unless we
> >> have close to 100% adoption rate.
> >
> > I'm using DLV to do DNSSEC validation right now, as are all the queries
> > of my upstream ISP.
> >
> > I have a bunch of domains that you can validate using DNSSEC including
> > 'clegg.com'.
> >
> > See another presentation of mine here:  http://alan.clegg.com/dnssec for
> > information on deploying DNSSEC in your environment TODAY!
> >
> > Yes, there needs to be more infrastructure work done to get it deployed
> > globally, but why not begin the deployment at the (grass) roots?
> 
> I got to ask the painfully obvious question...  Why hasn't DNSSEC started
> at the top?  Why aren't the root servers supporting it?

	Layer 9 politics.  Talk to your local member and ask then to request
	that the root gets signed.

> Why isn't .com,
> .org, .edu rolling this out?

	Org is in the process.

>  The .com domain has the most to loose by not
> having DNSSEC, since every bank and entity-to-steal-from on the planet lives
> in this domain.  Not that I'm opposed to the grassroots, it just seems
> backwards.

	Com is waiting for NSEC3 support.  BIND 9.6 will have NSEC3 support.
	NSEC3 removes the ability to enumerate the zone contents.  It also
	reduces the size requirements when optout is in use making the size
	changes proportional to the number of secure delegations.

	Mark
 
> Jeff Earickson
> Colby College

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org


More information about the bind-users mailing list