feature survey -- bind9 dnssec -- autogenerate missing signatures

Michael Richardson mcr at sandelman.ottawa.on.ca
Thu Sep 4 14:34:18 UTC 2008


>>>>> "Jim" == Jim Reid <jim at rfc1035.com> writes:
    Jim> Francis, this is all very well. People with DNSSEC clue will
    Jim> use these sorts of beasts because they understand why keys need
    Jim> to be properly protected. I'm far from convinced the typical
    Jim> DNS admin (no DNSSEC clue) will understand this or deploy these
    Jim> sorts of measures if they sign their zones. They'll inevitably
    Jim> take the path of least resistance. Which would most probably
    Jim> mean on-the-fly background signing if that was available and
    Jim> the actual signing key on-line and in cleartext on the master
    Jim> server.

  Yes.

  But, just remember: you haven't introduced any new attacks by having
the key available, unencrypted, on the DNS primary.
 
  Someone who breaks into the DNS primary can change the zone already.
If you have the key online, the risk is the same.   

  Meanwhile, having signed zones has significantly reduced opportunities
for network attacks, so it's a win.

  All security is a tradeoff.

-- 
]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr at sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [


More information about the bind-workers mailing list