[dnssec-deployment] dot MUSEUM implemented DNSSEC
Olaf Kolkman
olaf at NLnetLabs.nl
Tue Sep 23 01:27:57 EDT 2008
On Sep 23, 2008, at 12:07 AM, Mark Andrews wrote:
>
> Simple sanity checks by the parent (or their agent) can catch
> most errors before they get through.
>
> Assuming it is not a transfer of ownership.
>
> * do the new and old servers all return the new NS RRset.
> * do the new and old servers all return the new address records
> for the glue to be added.
> * do all DS records in the new DS RRset still refer a DNSKEYS.
> Note: this test does not support pre-publishing of DS records.
>
> Tests like these should already be being performed.
I think we agree ...
Its just that in the operational world out there those checks are not
often done and the DNS has shown extremely resilient in coping with
these. Security comes with the cost that as operator you have to be
more careful in what you do.
If you have organized your DNS shop well the introduction of DNSSEC
will not cause problems. If you run your DNS shop sloppy, DNSSEC will
expose that sloppiness.
My personal experience is that because of the word "Security" in
DNSSEC people will be looking at their registration systems from a
different perspective: When deploying DNSSEC at the RIPE NCC we
noticed a particular type of rollback attack was possible in the
registration procedure. It was discovered because we were thinking
DNSSEC, but it was a generic problem and it was dully fixed as part of
the regular maintenance.
--Olaf
--Olaf
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 235 bytes
Desc: This is a digitally signed message part
Url : http://dnssec-deployment.org/pipermail/dnssec-deployment/attachments/20080923/87dfbc2f/attachment.bin
More information about the Dnssec-deployment
mailing list