[dnssec-deployment] Gettng started...

Kevin Oberman oberman at es.net
Sun Jul 12 12:02:35 EDT 2009


> Sender: "DNSSEC deployment" <dnssec-deployment at shinkuro.com>
> Date: Sun, 12 Jul 2009 06:49:04 -0700 (PDT)
> From: tlhackque at yahoo.com
> 
> Is there a document (or perhaps a wiki) that provides instructions for
> deploying DNSSEC?
> 
> I've followed this story for rather a while, and it seems that the
> complications and subtlties keep piling up.  But I don't see where to
> go to get the current recipe for an administrator to turn DNSSEC
> on...as best I can tell, each administrator has to synthesize it from
> fragments of information scattered about the net.  That can't be true,
> can it?
> 
> I have a modest family (non-commercial) network - about 40 zones,
> split-view DNS (more internal than external), about 5 BIND servers
> with zone replication, and clients using XP, Linux, MacOS - and some
> legacy hardware (like VAX/VMS and even some TOPS-10/20)...and I'm a
> 1-person operation -- no armies of specialists.  But I take the
> network seriously -- more seriously than some companies that I've seen
> :-) I live under the .net TLD.
> 
> What I'm looking for is the HOWTO that covers:
> 
> - Generating, installing, automatically rolling-over, revoking keys.
> 
> - Best practices for key lengths, roll-over frequency, etc.
> 
> - Considerations for DNS Dynamic Update, including DHCP.  I use ISC
> dhcp as well as dhcp in Cisco IOS routers.
> 
> - What's available for tools/scripts to automate managing a DNSSEC
> environment.  I would hope that I don't have to roll my own key
> roll-over & service aliveness scripts...and that I don't have to start
> from scratch when updating my DNS management GUI (uses dynamic update)
> to comprehend DNSSEC.
> 
> - Client considerations: dnssec setup for resolvers, applications. 
> Should one install DNSSEC-aware resolvers?  Which ones?  Or simply
> trust my internal BIND servers?  What happens when a client VPNs into
> their company's office network?  Or is in some hotel - is
> reconfiguration necessary on the client where it won't have a
> DNSSEC-capable server to talk to?  What does one have to tell users?
> 
> - What's the best way to upgrade a live environment to DNSSEC?  How
> does one prevent service disruption in the process?  I assume one
> starts at the top of one's domain hierarchay & delegates down?  At
> what point does one register a DLV entry - before starting?  After the
> topl-level zone is signed?  After all the zones are signed?
> 
> Ideally there should be a template plan/checklist for upgrading an
> environment to DNSSEC.  At least if we want it adopted...  I can't be
> the only one looking for this.

Like a lot of new "high tech" tools, the documentation seems to lag a
bit and , for something as complex as DNSSEC, it probably lags more and
is needed more. 

I don't have a complete answer that covers all of your points. Several
can be done in several ways and there is not enough experience to have a
"best current practice". (There is barely current practice.)

For general instructions of "how to", I strongly recommend NIST
SP800-81. Revision 1 is in draft, but should be released
soon.
http://csrc.nist.gov/publications/PubsDrafts.html#SP-800-81-Rev.%201 
It is very readable and provides command by command details for
implementing DNSSEC in BIND.

Some of your questions lack answers. There is no standard mechanism for
applications to get DNSSEC validation information. Resolvers simply
return "server failed" when validation fails. Also, I am not aware of
any good support for validation in stub resolvers, though that seems to
be getting closer.

Good luck with the VMS and TOPS systems. VMS is still the best OS I have
ever worked with in my 35+ years in the industry and I really wish DEC
had not made so many marketing mistakes that effectively killed it. I
just learned that HP has now moved all VMS support to India and the last
of the old-line VMS people are calling it quits. The last I know of was
Andy Goldstien who recently announced that he is retiring.
-- 
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: oberman at es.net			Phone: +1 510 486-8634
Key fingerprint:059B 2DDF 031C 9BA3 14A4  EADA 927D EBB3 987B 3751



More information about the Dnssec-deployment mailing list