Re: DNSSEC Deployment

[Joe St Sauver <joe () OREGON UOREGON EDU>]

Jason asked:

#Has anyone deployed/started to deploy DNSSEC?  Any gotchas to look out
#for?  Any commentary on system load, network load, etc?
#
#With Educause signing .edu in June, I suppose we are being pushed into
#at least looking seriously at deploying DNSSEC..  I'm still extremely
#skeptical of the technology, but it looks inevitable at this point.

A growing number of higher education sites are indeed doing DNSSEC.
For example, UO now routinely does DNSSEC validation on its campus
production resolvers, see https://www.dnssec.uoregon.edu/ and
Internet2.edu now routinely signs its zone (you can see the trust
relationship if you go to http://dnsviz.net/d/internet2.edu/dnssec/ )

I wouldn't treat DNSSEC as an isolated project, however; I'd encourage
you to consider it as part of a larger project to improve the
quality and security of your campus' DNS. If you're interested, the
slides from my Educause Security Professionals 2010 pre-conference
seminar, "Securing DNS: Doing DNS as if DNS Actually Mattered," are
available from http://www.uoregon.edu/~joe/secprof10-dns/secprof10-dns.ppt
(or .pdf)

The other thing that should probably be part of your campus network/DNS
roadmap is support for IPv6. I view the case for doing IPv6 as far more
immediately pressing than the case for doing DNSSEC (although both are
a good idea). If folks are interested, I've also got slides for IPv6, see
http://www.uoregon.edu/~joe/ipv6-training/ipv6-training.ppt (or .pdf)

I mention IPv6 here because at the same time you're planning and upgrading
your DNS to support DNSSEC, don't forget that you also want to support IPv6.

Feel free to drop me a note if you have any questions,

Regards,

Joe St Sauver (joe () internet2 edu or joe () oregon uoregon edu)
http://www.uoregon.edu/~joe/
Disclaimer: all opinions my own