DNSSEC versus multiple views
Mark Andrews
marka at isc.org
Wed Jun 1 02:09:15 UTC 2011
In message <BF6F24E4-BB5C-4160-84DF-BAF591BED1CE at cornell.edu>, John Wobus write
s:
> What problems do sites have that deploy both multiple views and
> DNSSEC?
Sign all views. You can decide whether to use the same keying
material or use differing keying material. If you use differing
keying material you will need to distribute it. Different key
material will catch leaks between views.
> I read the "Split-View DNSSEC Operation Practices" draft, which
> outlines a number of set-ups, generally citing disadvantages in the
> area of administration, troubleshooting, and added complexity. But
> it says these set-ups are workable.
>
> Our site serves thousands of mobile users with many types of consumer
> mobile devices used onsite and elsewhere. Our site also has
> independent departments running their own caching servers. Both
> these make me nervous. I could imagine a future where mobile devices
> both cache and validate DNS and could imagine the combination of
> multiple views and DNSSEC creating problems for them. Perhaps
> future end-user caching/validation procedures will be driven by the
> existence of multiple-views/DNSSEC sites.
>
> All this is from reading and thinking. Can anyone tell me about
> real-world problem cases?
>
> John Wobus
> Cornell University
>
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list