Educause Security Discussion mailing list archives
Re: DNSSEC Deployment
From: Joe St Sauver <joe () OREGON UOREGON EDU>
Date: Mon, 17 May 2010 11:44:17 -0700
Jason asked: #Has anyone deployed/started to deploy DNSSEC? Any gotchas to look out #for? Any commentary on system load, network load, etc? # #With Educause signing .edu in June, I suppose we are being pushed into #at least looking seriously at deploying DNSSEC.. I'm still extremely #skeptical of the technology, but it looks inevitable at this point. A growing number of higher education sites are indeed doing DNSSEC. For example, UO now routinely does DNSSEC validation on its campus production resolvers, see https://www.dnssec.uoregon.edu/ and Internet2.edu now routinely signs its zone (you can see the trust relationship if you go to http://dnsviz.net/d/internet2.edu/dnssec/ ) I wouldn't treat DNSSEC as an isolated project, however; I'd encourage you to consider it as part of a larger project to improve the quality and security of your campus' DNS. If you're interested, the slides from my Educause Security Professionals 2010 pre-conference seminar, "Securing DNS: Doing DNS as if DNS Actually Mattered," are available from http://www.uoregon.edu/~joe/secprof10-dns/secprof10-dns.ppt (or .pdf) The other thing that should probably be part of your campus network/DNS roadmap is support for IPv6. I view the case for doing IPv6 as far more immediately pressing than the case for doing DNSSEC (although both are a good idea). If folks are interested, I've also got slides for IPv6, see http://www.uoregon.edu/~joe/ipv6-training/ipv6-training.ppt (or .pdf) I mention IPv6 here because at the same time you're planning and upgrading your DNS to support DNSSEC, don't forget that you also want to support IPv6. Feel free to drop me a note if you have any questions, Regards, Joe St Sauver (joe () internet2 edu or joe () oregon uoregon edu) http://www.uoregon.edu/~joe/ Disclaimer: all opinions my own
Current thread:
- DNSSEC Deployment Jason Frisvold (May 17)
- <Possible follow-ups>
- Re: DNSSEC Deployment Joe St Sauver (May 17)
- Re: DNSSEC Deployment Michael Sinatra (May 17)
- Re: DNSSEC Deployment John Kristoff (May 17)
- Re: DNSSEC Deployment Jason Frisvold (May 17)
- Re: DNSSEC Deployment John Ladwig (May 17)
- Re: DNSSEC Deployment Joe St Sauver (May 17)
- Re: DNSSEC Deployment Michael Sinatra (May 17)
- Re: DNSSEC Deployment Joe St Sauver (May 17)
- Re: DNSSEC Deployment Michael Sinatra (May 17)
- Re: DNSSEC Deployment John Kristoff (May 17)
- Re: DNSSEC Deployment Jason Frisvold (May 17)
(Thread continues...)