[Cialug] SOT: DNSSEC and what it means to the average joe

[Jeffrey Ollie]

On Thu, Jan 28, 2010 at 4:16 PM, Josh More
<morej at alliancetechnologies.net> wrote:
> I'm not an expert, but here's my quick opinion anyway:
>
> 1) It cryptographically signs DNS records (and perhaps transactions)

DNSSEC does not encrypt/sign transactions.

> 2) It uses chain of trust, so I don't think it will be much good until
> the TLDs implement them.  I know the process started on .mil and .gov.
> I don't know where .com, .net and .org are in the process.

Until the DNS root and the TLDs are ready, you can use DNSSEC
lookaside validation (DLV).

https://dlv.isc.org/

> 3) In BIND, at least, the security history hasn't been that great.  I'd
> say to let the technology mature before you even touch it.  Implementing
> a weak security system can decrease your overall security to the point
> where it's less than it would have been if you'd done nothing.

I don't think that BIND's security history is any better or worse than
any other random package, it'd just that the problems get magnified
because the extremely critical role BIND plays in the internet and the
fact that many people don't keep up with patches.  Also many of BIND's
perceived problems are from structural problems with the DNS protocol.
 From what I've seen the BIND developers are extremely quick to
release patches for security issues.

Setting BIND up to use DLV to do DNSSEC validation on recursive
queries is pretty straight forward.  DNSSEC signing your own domain
take some more work, you'll definitely want to read up and make sure
you know what you are doing.

> 4) If you don't run any Internet DNS, I don't think that there is
> anything you can do.  Leave it up to the providers.

Don't just leave it up to the providers, as DNSSEC will prevent
providers from returning bogus DNS entries to redirect you to
AD-ridden "support" pages.  We need to insist that providers support
DNSSEC.

-- 
Jeff Ollie