[dnssec-deployment] dot MUSEUM implemented DNSSEC

Olaf Kolkman olaf at NLnetLabs.nl
Tue Sep 23 01:27:57 EDT 2008


On Sep 23, 2008, at 12:07 AM, Mark Andrews wrote:

>
> 	Simple sanity checks by the parent (or their agent) can catch
> 	most errors before they get through.
>
> 	Assuming it is not a transfer of ownership.
>
> 	* do the new and old servers all return the new NS RRset.
> 	* do the new and old servers all return the new address records
> 	  for the glue to be added.
> 	* do all DS records in the new DS RRset still refer a DNSKEYS.
> 	  Note: this test does not support pre-publishing of DS records.
>
> 	Tests like these should already be being performed.

I think we agree ...

Its just that in the operational world out there those checks are not  
often done and the DNS has shown extremely resilient in coping with  
these. Security comes with the cost that as operator you have to be  
more careful in what you do.

If you have organized your DNS shop well the introduction of DNSSEC  
will not cause problems. If you run your DNS shop sloppy, DNSSEC will  
expose that sloppiness.

My personal experience is that because of the word "Security" in  
DNSSEC people will be looking at their registration systems from a  
different perspective: When deploying DNSSEC at the RIPE NCC we  
noticed a particular type of rollback attack was possible in the  
registration procedure. It was discovered because we were thinking  
DNSSEC, but it was a generic problem and it was dully fixed as part of  
the regular maintenance.


--Olaf

--Olaf
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 235 bytes
Desc: This is a digitally signed message part
Url : http://dnssec-deployment.org/pipermail/dnssec-deployment/attachments/20080923/87dfbc2f/attachment.bin 


More information about the Dnssec-deployment mailing list