[unisog] DNS security advisory
alan at clegg.com
Tue Jul 8 21:51:35 GMT 2008
-----BEGIN PGP SIGNED MESSAGE-----
Scott Dier wrote:
> Alan Clegg wrote:
>> I'm the author of the "DNSSEC in 6 minutes" presentation (I'm officially
>> alan_clegg at isc.org -- that's where my paycheck comes from).
> The .org dnssec deployment estimates 2010 (!) for general use of DNSSEC
> in .org. Does it seem like the current fixes seem like they might tide
> us over into 2010 and beyond?
> A coworker was sort of worried that DNSSEC is going to be a lot like
> IPv6 -- it always seems to be 3 or 4 years out.
I understand your point 100%. I'm facing the same questions every time
I teach class regarding DNSSEC -- people have thanked me for teaching
them about a technology that they will "never be allowed to deploy".
While the signing of the root ('.') is still a political football, there
is more motion behind DNSSEC than meets the eye. I'm thinking that the
signing of .org is much closer than 2010 (however I would not dare to
speculate on the current fixes holding until then).
I'm currently running DNSSEC on over 40 zones using DLV -- more
information on that here: http://www.isc.org/ops/dlv
You can deploy DNSSEC well before the root signing, and yes, it really
Even if you don't deploy DNSSEC, please deploy the port randomization
patches -- and remove all of those
query-source address * port 53;
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
-----END PGP SIGNATURE-----
More information about the unisog