Educause Security Discussion mailing list archives
Re: DNSSEC Anyone?
From: "Beadles, Mark A." <mbeadles () OAR NET>
Date: Fri, 2 Feb 2018 16:51:02 +0000
I don’t know the source of that ‘master’ list of university domains but it’s nowhere near complete. There are over 4500 degree-granting institutions in the US alone, and even a cursory check shows the json is missing a lot of notable institutions and some entries are quite stale, having changed their domain name years ago. Mark Beadles beadles.5 () osu edu From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Asphyxia R4P3 Sent: Friday, February 02, 2018 11:31 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] DNSSEC Anyone? I must have overlooked some EDUs. Postsecondary institutions in the USA have only a ~4.6% adoption rate regarding DNSSEC over the period of 2,741 days. I hacked together shame-free Bash for checking DNSSEC usage. You will need bind-utils for this to work, simply copy and paste: wget https://raw.githubusercontent.com/Hipo/university-domains-list/master/world_universities_and_domains.json cat world_universities_and_domains.json | grep ".edu\"" | grep -v "http" >aye wc -l aye #2,379 domains will be checked for DNSSEC. tr -d ' \t"' <aye >away #Formatting for delivery to dig. dig @9.9.9.9 +dnssec -f away | grep "ad;" #you can change the 9s to 8s if you love Google A great article on the importance of DNSSEC can be found here<http://www.circleid.com/posts/20150318_is_dnssec_worth_the_effort/>. DNSEC is to DNS what HTTPS is to HTTP. Protocols are becoming stronger and we have 'free security', as in free armor. We get to choose whether we put free armor on or toss armor in the wardrobe in favor of penetrable fabric. I applaud Stanford, Westfield State University and Bryn Mawr College for their efforts in securing the DNS architecture. Happy Friday everyone! Warm Regards, Asphyxia ---- On Fri, 02 Feb 2018 05:22:57 -0800 Childs, Aaron <aaron () WESTFIELD MA EDU<mailto:aaron () WESTFIELD MA EDU>> wrote ---- Hi Asphyxia, We’ve been using DNSSEC for six years now. Aaron Aaron Childs, Director [cid:image001.jpg@01D39C19.FE0BFBB0] Infrastructure Services Information Technology Services Wilson Hall - 577 Western Ave. Westfield MA 01086 P 413.572.5527 F 413.572.5615 aaron () westfield ma edu<mailto:aaron () westfield ma edu> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>] On Behalf Of Asphyxia R4P3 Sent: Friday, February 2, 2018 3:12 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] DNSSEC Anyone? I have looked at quite a few EDU domains and only Stanford.edu seems to have implemented DNSSEC. For more information on DNSSEC and mitigating DNS cache poisoning, check here<https://net.educause.edu/faq/dnssec>. DNSSEC support came almost 8 years ago. Does anyone else use DNSSEC? Kindly, Asphyxia
Current thread:
- DNSSEC Anyone? Asphyxia R4P3 (Feb 02)
- Re: DNSSEC Anyone? McDowell, Karen (krm6r) (Feb 02)
- Re: DNSSEC Anyone? Andrew Chiarello (Feb 02)
- Re: DNSSEC Anyone? Childs, Aaron (Feb 02)
- Re: DNSSEC Anyone? Asphyxia R4P3 (Feb 02)
- Re: DNSSEC Anyone? Beadles, Mark A. (Feb 02)
- Re: DNSSEC Anyone? Asphyxia R4P3 (Feb 02)
- Re: DNSSEC Anyone? McDowell, Karen (krm6r) (Feb 02)