'Re: Most current info on DNSSEC?'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bind9-users
Subject:    Re: Most current info on DNSSEC?
From:       Jim Reid <jim () rfc1035 ! com>
Date:       2004-06-02 22:51:22
Message-ID: 27660.1086216682 () gromit ! rfc1035 ! com
[Download RAW message or body]

>>>>> "Kevin" == Kevin  <bind@gnosys.biz> writes:

    Kevin> If I understood your reply to me then everything that I've
    Kevin> been reading in the dnssec draft documents _is_ implemented
    Kevin> in bind9.3.0beta4.  Is that right?  So I guess I could set
    Kevin> myself up as an "island of security" (from the intro draft)
    Kevin> and fool around with it a bit? 

Yes. And yes.

    Kevin> The new records shouldn't
    Kevin> cause problems for the non-security-aware resolvers and
    Kevin> name servers should they?

You tell me. Non DNSSEC-aware softare probably won't see the new RRs
unless they specifically asked for them (or made an ANY query). But
what happens then is anyone's guess. Some stuff is bound to barf on
receiving an unknown record type. Though I suppose if something asked
for an RRSIG record (say) this would imply they knew how to handle it.

RFC3225 says that DNSSEC-aware resolvers are supposed to set a bit in
the EDNS0 header to tell the server "I grok DNSSEC. Give me those
RRs." So this should mean any resolvers that aren't DNSSEC-aware won't
see these RRs. This implies DNSSEC-aware resolvers use EDNS0, but
they'll be doing that anyway because signed responses are so big.
Unless bigger EDNS0 payloads were available, far too many signed
replies would get truncated.

    Kevin> Are people doing that now?  

Maybe, but this is likely to be a lesser consideration when it comes
to getting DNSSEC working and figuring out deployment strategies.

    Kevin> Is that what you meant by testbeds?  Or were you talking about
    Kevin> full-blown key signing keys by some TLDs that are helping
    Kevin> to test the dnssec code?  Just curious. 

Most of the testbeds have been for things like interoperability
testing, evaluating key rollover, zone signing strategies, looking for
awkward corner cases and so on.

    Kevin> If the latter, do
    Kevin> you know of any way for me to participate in any of those
    Kevin> testbeds?  Would someone involved in those testbeds be
    Kevin> pleased or irritated by the notion of having another domain
    Kevin> owner get involved in the testing?

I think most people who play in this world have an attitude of the
more, the merrier. Though it would probably be assumed that anyone who
joined didn't need any hand-holding. Visiting
	http://www.sdl.sri.com/other/dnssec
might be the best place for you to start.

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic