Re: DNSSEC Deployment

[Michael Sinatra <michael () RANCID BERKELEY EDU>]

On 05/17/10 11:43, Jason Frisvold wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Has anyone deployed/started to deploy DNSSEC?  Any gotchas to look out
> for?  Any commentary on system load, network load, etc?

Yes, UC Berkeley has done so, both from a validation and signing
perspective.  We have not, however, placed our trust-anchors in a
public, production location (ITAR, DLV), except for SecSpider, which is
automatic.

System and network load aren't much of an issue.  As I have said in
public presentations on the subject, it has taken the world so long to
deploy DNSSEC that hardware has more than caught up with the additional
resource load.

The issue that you need to watch for is the additional complexity in
maintaining up-to-date signatures on all of the records in your zones.
Your signing process will need to be automated, and how that is done
(and with what success) heavily depends on how you currently manage DNS.

> With Educause signing .edu in June, I suppose we are being pushed into
> at least looking seriously at deploying DNSSEC..

You are not.  There is nothing about signing the EDU zone that requires
you to deploy DNSSEC in any way.

> I'm still extremely
> skeptical of the technology, but it looks inevitable at this point.

I am interested in the source of your skepticism, and this being a
security list, it's probably a good venue to discuss it.  What's on your
mind?

michael