Educause Security Discussion mailing list archives
Re: DNSSEC Implementations
From: Martin Manjak <mm376 () ALBANY EDU>
Date: Thu, 23 Dec 2010 10:49:29 -0500
Jack, That's a good description of our efforts as well. We are basically re-architecting our DNS servce. For example, we have decided to separate the authoritative and recursive functions into separate servers. One other aspect that I will mention is working with delegated zones. If you delegate to an internal entity, you will need to coordinate this effort with them. Chris, we are not using Widows DNS servers for our enterprise systems, but others groups on campus are and your comment is helpful. I'm curious to know what the implications are for registration systems such as NetReg. Marty On 12/22/2010 3:57 PM, Jack Suess wrote:
UMBC just went through the process and upgraded our DNS environment to DNSSEC. I assigned this in the spring (April) and gave them till the end of the calendar year to complete this. Working on other projects as well we did this in six months. It was an excellent learning opportunity and caused them to go back and review the whole DNS setup and clean up a number of little things that should of been addressed years ago. I recommend putting this on the new project list. jack suess On Dec 22, 2010, at 2:40 PM, Chris Green wrote:My only anecdote thus far is when we did 2008R2 and upgraded our last DC, we broke NIH.GOV <http://NIH.GOV> lookups due to EDNS0 / RFC2671 being turned on by default.http://support.microsoft.com/kb/832223; Those are my favorite kind of errors: ‘intermittent network issues’ in departments fairly removed from the time of configuration change. I half expect more things to go the way chome plop in internal resolvers to help users debug issues. *From:* The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Allen Barrett *Sent:* Wednesday, December 22, 2010 1:26 PM *To:* SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU> *Subject:* Re: [SECURITY] DNSSEC Implementations We've all got to do it sooner or later. I've been resisting, but I'll have to bite the bullet. We're a Microsoft shop... I'd be interested in hearing any anecdotal posts from others running MS DNS servers.... On Wed, Dec 22, 2010 at 1:18 PM, Martin Manjak <mm376 () albany edu <mailto:mm376 () albany edu>> wrote: We are in the process of planning for our DNSSEC implementation. First, is there a separate list for .edus that are rolling this out? If not, and the topic belongs here, I would like to hear from any schools that have deployed it, or are planning to deploy it. Marty -- Martin Manjak Information Security Officer University at Albany CISSP, GSEC, GCWN "What information consumes...is the attention of its recipients." Herbert Simon, 1971 -- Allen Barrett IT Security and Systems Administrator Harding University Admin 304 (501) 279-4198Jack Suess UMBC VP of IT & CIO jack () umbc edu <mailto:jack () umbc edu> 1000 Hilltop Circle 410.455.2582 Baltimore Md, 21250
-- Martin Manjak Information Security Officer University at Albany CISSP, GSEC, GCWN "What information consumes...is the attention of its recipients." Herbert Simon, 1971
Current thread:
- DNSSEC Implementations Martin Manjak (Dec 22)
- Re: DNSSEC Implementations Allen Barrett (Dec 22)
- Re: DNSSEC Implementations Chris Green (Dec 22)
- Re: DNSSEC Implementations Jack Suess (Dec 22)
- Re: DNSSEC Implementations Martin Manjak (Dec 23)
- Re: DNSSEC Implementations Chris Green (Dec 22)
- Re: DNSSEC Implementations Allen Barrett (Dec 22)
- Re: DNSSEC Implementations John Kristoff (Dec 22)
- Re: DNSSEC Implementations Michael Sinatra (Dec 23)
- Re: DNSSEC Implementations Martin Manjak (Dec 23)
- Re: DNSSEC Implementations Michael Sinatra (Dec 23)
- Re: DNSSEC Implementations Michael Sinatra (Dec 23)