[dnssec-deployment] dot MUSEUM implemented DNSSEC
Mark_Andrews at isc.org
Mon Sep 22 18:07:42 EDT 2008
In message <list-17037859 at execdsl.com>, Olaf Kolkman writes:
> This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
> Content-Transfer-Encoding: 7bit
> On Sep 22, 2008, at 12:15 PM, Mark Andrews wrote:
> >> DNSsec creates a tighter chain. We have to make sure that
> >> redelegation
> >> is not the weakest link. -- Yes, it is the same process but DNSsec
> >> requires higher degree of safety when it comes to the redelegation
> >> part.
> > Please quote the relevent RFC.
> I hope that I understand Mats point. Allow me to rephrase it:
> If you do a delegation wrong you create some lameness, and the DNS can
> cope with that. If you do the DS wrong then you immediately impact the
> secure zones.
If you accept the wrong NS records from the wrong people
the zone is taken over. We had a couple of well publicised
If you accept the wrong glue address records from the wrong
people the zone is taken over.
If you accept the wrong DS records from the wrong people
the zone is taken over.
It is equally crucial that all updates to a delegation are
treated with equal care. If one can update the NS records
at a delegation then one can assume that one can also update
the DS records.
> With plain old DNS you need to shoot at least twice to shoot yourself
> in the feet. With DNSSEC you only need one shot to do serious damage.
Simple sanity checks by the parent (or their agent) can catch
most errors before they get through.
Assuming it is not a transfer of ownership.
* do the new and old servers all return the new NS RRset.
* do the new and old servers all return the new address records
for the glue to be added.
* do all DS records in the new DS RRset still refer a DNSKEYS.
Note: this test does not support pre-publishing of DS records.
Tests like these should already be being performed.
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the Dnssec-deployment