Educause Security Discussion mailing list archives
Re: DNSSEC Deployment
From: Michael Sinatra <michael () RANCID BERKELEY EDU>
Date: Mon, 17 May 2010 11:53:35 -0700
On 05/17/10 11:43, Jason Frisvold wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Has anyone deployed/started to deploy DNSSEC? Any gotchas to look out for? Any commentary on system load, network load, etc?
Yes, UC Berkeley has done so, both from a validation and signing perspective. We have not, however, placed our trust-anchors in a public, production location (ITAR, DLV), except for SecSpider, which is automatic. System and network load aren't much of an issue. As I have said in public presentations on the subject, it has taken the world so long to deploy DNSSEC that hardware has more than caught up with the additional resource load. The issue that you need to watch for is the additional complexity in maintaining up-to-date signatures on all of the records in your zones. Your signing process will need to be automated, and how that is done (and with what success) heavily depends on how you currently manage DNS.
With Educause signing .edu in June, I suppose we are being pushed into at least looking seriously at deploying DNSSEC..
You are not. There is nothing about signing the EDU zone that requires you to deploy DNSSEC in any way.
I'm still extremely skeptical of the technology, but it looks inevitable at this point.
I am interested in the source of your skepticism, and this being a security list, it's probably a good venue to discuss it. What's on your mind? michael
Current thread:
- DNSSEC Deployment Jason Frisvold (May 17)
- <Possible follow-ups>
- Re: DNSSEC Deployment Joe St Sauver (May 17)
- Re: DNSSEC Deployment Michael Sinatra (May 17)
- Re: DNSSEC Deployment John Kristoff (May 17)
- Re: DNSSEC Deployment Jason Frisvold (May 17)
- Re: DNSSEC Deployment John Ladwig (May 17)
- Re: DNSSEC Deployment Joe St Sauver (May 17)
- Re: DNSSEC Deployment Michael Sinatra (May 17)
- Re: DNSSEC Deployment Joe St Sauver (May 17)
- Re: DNSSEC Deployment Michael Sinatra (May 17)
- Re: DNSSEC Deployment John Kristoff (May 17)
- Re: DNSSEC Deployment Jason Frisvold (May 17)
- Re: DNSSEC Deployment Jason Frisvold (May 17)
(Thread continues...)