[dnssec-deployment] dot MUSEUM implemented DNSSEC

Paul Wouters paul at xelerance.com
Mon Sep 22 13:35:12 EDT 2008


On Mon, 22 Sep 2008, Edward Lewis wrote:

> But when it comes to screwing up the DS set, this is not anymore fragile than 
> the NS set.  A signer has the option to use multiple DS records in a set - 
> maybe one for each different algorithm in use.  And a totally hosed DS set is 
> less disruptive than a totally hosed NS set because in the former, the NS set 
> (if un-hosed) is still available for hand inspection by a technician.

If your dnssec signer appliance does not periodically check NS, DS and SOA
records of the zones it is signing for, you bought a lemmon. (if you truly
use the signer offline, then a second unit without the private keys should
be doing these checks). DNS is no longer 'fire and forget'.

> There's multiple "paths" to just about everything in DNSSEC.  Single shots 
> need not take down DNSSEC where it would take two shots for DNS. However, the 
> work to make DNSSEC less fragile is not always easy.  It can be done tho'.

Checking and verifying consistency of DNS records is not exctly rocket
science, whether it is NS glue, DS at parent, or TTL/SIG lifetimes.

Paul



More information about the Dnssec-deployment mailing list