Re: DNSSEC Implementations

[Martin Manjak <mm376 () ALBANY EDU>]

Jack,

That's a good description of our efforts as well. We are basically
re-architecting our DNS servce. For example, we have decided to separate
the authoritative and recursive functions into separate servers.

One other aspect that I will mention is working with delegated zones. If
you delegate to an internal entity, you will need to coordinate this
effort with them.

Chris, we are not using Widows DNS servers for our enterprise systems,
but others groups on campus are and your comment is helpful.

I'm curious to know what the implications are for registration systems
such as NetReg.

Marty

On 12/22/2010 3:57 PM, Jack Suess wrote:
> UMBC just went through the process and upgraded our DNS environment to
> DNSSEC. I assigned this in the spring (April) and gave them till the end
> of the calendar year to complete this. Working on other projects as well
> we did this in six months.  It was an excellent learning opportunity and
> caused them to go back and review the whole DNS setup and clean up a
> number of little things that should of been addressed years ago. 
>
> I recommend putting this on the new project list.
>
> jack suess
>
>
>
> On Dec 22, 2010, at 2:40 PM, Chris Green wrote:
>
> > My only anecdote thus far is when we did 2008R2 and upgraded our last
> > DC, we broke NIH.GOV <http://NIH.GOV> lookups due to EDNS0 / RFC2671
> > being turned on by default.http://support.microsoft.com/kb/832223; 
> > Those are my favorite kind of errors:  ‘intermittent network issues’
> > in departments fairly removed from the time of configuration change.
> >  
> > I half expect more things to go the way chome plop in internal
> > resolvers to help users debug issues.
> >  
> >  
> > *From:* The EDUCAUSE Security Constituent Group Listserv
> > [mailto:SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Allen Barrett
> > *Sent:* Wednesday, December 22, 2010 1:26 PM
> > *To:* SECURITY () LISTSERV EDUCAUSE EDU
> > <mailto:SECURITY () LISTSERV EDUCAUSE EDU>
> > *Subject:* Re: [SECURITY] DNSSEC Implementations
> >  
> >
> > We've all got to do it sooner or later.  I've been resisting, but I'll
> > have to bite the bullet.  We're a Microsoft shop...   I'd be
> > interested in hearing any anecdotal posts from others running MS DNS
> > servers....
> >
> > On Wed, Dec 22, 2010 at 1:18 PM, Martin Manjak <mm376 () albany edu
> > <mailto:mm376 () albany edu>> wrote:
> > We are in the process of planning for our DNSSEC implementation.
> >
> > First, is there a separate list for .edus that are rolling this out?
> >
> > If not, and the topic belongs here, I would like to hear from any
> > schools that have deployed it, or are planning to deploy it.
> >
> > Marty
> >
> > --
> > Martin Manjak
> > Information Security Officer
> > University at Albany
> > CISSP, GSEC, GCWN
> >
> > "What information consumes...is the attention of its recipients."
> > Herbert Simon, 1971
> >
> >
> >
> > -- 
> > Allen Barrett
> > IT Security and Systems Administrator
> > Harding University
> > Admin 304
> > (501) 279-4198
>
> Jack Suess            UMBC VP of IT & CIO
> jack () umbc edu <mailto:jack () umbc edu>    1000 Hilltop Circle
> 410.455.2582 Baltimore Md, 21250

-- 
Martin Manjak
Information Security Officer
University at Albany
CISSP, GSEC, GCWN

"What information consumes...is the attention of its recipients."
Herbert Simon, 1971