[unisog] DNS security advisory

Alan Clegg alan at clegg.com
Tue Jul 8 21:51:35 GMT 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Scott Dier wrote:
> Alan Clegg wrote:
>> I'm the author of the "DNSSEC in 6 minutes" presentation (I'm officially
>> alan_clegg at isc.org -- that's where my paycheck comes from).
> 
> The .org dnssec deployment estimates 2010 (!) for general use of DNSSEC
> in .org.  Does it seem like the current fixes seem like they might tide
> us over into 2010 and beyond?
> 
> A coworker was sort of worried that DNSSEC is going to be a lot like
> IPv6 -- it always seems to be 3 or 4 years out.

I understand your point 100%.  I'm facing the same questions every time
I teach class regarding DNSSEC -- people have thanked me for teaching
them about a technology that they will "never be allowed to deploy".

While the signing of the root ('.') is still a political football, there
is more motion behind DNSSEC than meets the eye.  I'm thinking that the
signing of .org is much closer than 2010 (however I would not dare to
speculate on the current fixes holding until then).

I'm currently running DNSSEC on over 40 zones using DLV -- more
information on that here:  http://www.isc.org/ops/dlv

You can deploy DNSSEC well before the root signing, and yes, it really
does work.

Even if you don't deploy DNSSEC, please deploy the port randomization
patches -- and remove all of those

      query-source address * port 53;

statements.

AlanC
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFIc+FmcKpYUrUDCYcRAtaMAKCPe+4b47p9ZtjrGAF98+mwpNbj5ACgk9cz
+ENtLnSx6dY+Gj8S8jiyVA4=
=zBGz
-----END PGP SIGNATURE-----


More information about the unisog mailing list