Compelling Reason for Deploying DNSSEC

michoski michoski at cisco.com
Thu Sep 15 20:02:22 UTC 2011


On 9/15/11 12:19 PM, "Paul Romano" <ittech68 at yahoo.com> wrote:
> Does the lack of response indicate a lack of compelling reason or just lack of
> interest in this topic? 

Not at all, folks are just busy I bet...

> Is there a way to tie an ROI into a DNSSEC deployment? 

It's basically a risk analysis game.  You should be able to think through
common use cases for your service, and identify places where DNSSEC would
add value.  Your business values validity of its DNS data, or not.

Beside the obvious harm of a tarnished reputation (which all but the largest
companies may not even take that seriously, small ones will just
re-incorporate), it some times helps to focus on the dollars and cents...

In the worst case, if an evil hacker modified a zone and obtained sensitive
customer data, what would the "fall out" look like to you?  How would you
respond?  How much time would be spent by how many staff members?  What
other projects would have to be delayed as a result?  Would you need a
third-party audit?  How much does that cost, and if you haven't scoped it
how long will that take?  How will you communicate with customers?

> Are there any numbers indicating a trend in DNS related attacks?

DDoS still wins, typically following political debates.

> From: "WBrown at e1b.org" <WBrown at e1b.org>
> I would like to hear the justification as well.  I know the gTLDs have
> been signed, but there are a lot of domains for large tech companies that
> are not signed yet.
> 
> Is it a matter of reaching critical mass?

Humans are lazy (oh sorry, incentive driven) creatures, so I think you are
right...critical mass is required, much like IPv6.  Before that started
being seriously adopted, I'd gotten sick of hearing about it.  DNSSEC is
almost there.  ;-)

-- 
By nature, men are nearly alike;
by practice, they get to be wide apart.
        -- Confucius




More information about the bind-users mailing list