[dnssec-deployment] dot MUSEUM implemented DNSSEC

Mark Andrews Mark_Andrews at isc.org
Mon Sep 22 18:07:42 EDT 2008 

In message <list-17037859 at execdsl.com>, Olaf Kolkman writes:
> This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
> --Apple-Mail-9--1029395031
> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
> Content-Transfer-Encoding: 7bit
> 
> 
> On Sep 22, 2008, at 12:15 PM, Mark Andrews wrote:
> 
> >> DNSsec creates a tighter chain. We have to make sure that  
> >> redelegation
> >> is not the weakest link. -- Yes, it is the same process but DNSsec
> >> requires higher degree of safety when it comes to the redelegation  
> >> part.
> >
> > 	Please quote the relevent RFC.
> 
> 
> I hope that I understand Mats point. Allow me to rephrase it:
> 
> If you do a delegation wrong you create some lameness, and the DNS can  
> cope with that. If you do the DS wrong then you immediately impact the  
> secure zones.

	If you accept the wrong NS records from the wrong people
	the zone is taken over.  We had a couple of well publicised
	cases recently.

	If you accept the wrong glue address records from the wrong
	people the zone is taken over.

	If you accept the wrong DS records from the wrong people
	the zone is taken over.

	It is equally crucial that all updates to a delegation are
	treated with equal care.  If one can update the NS records
	at a delegation then one can assume that one can also update
	the DS records.

> With plain old DNS you need to shoot at least twice to shoot yourself  
> in the feet. With DNSSEC you only need one shot to do serious damage.

 	Simple sanity checks by the parent (or their agent) can catch
	most errors before they get through.

	Assuming it is not a transfer of ownership.

	* do the new and old servers all return the new NS RRset.
	* do the new and old servers all return the new address records
	  for the glue to be added.
	* do all DS records in the new DS RRset still refer a DNSKEYS.
	  Note: this test does not support pre-publishing of DS records.

	Tests like these should already be being performed.

	Mark

> --Olaf
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the Dnssec-deployment mailing list