netsec-sig - Re: [Security-WG] [NTAC] Based on community input, suggesting an DNS Resilience Initiative
Subject: Internet2 Network Security SIG
List archive
Re: [Security-WG] [NTAC] Based on community input, suggesting an DNS Resilience Initiative
Chronological Thread
- From: "O'Brien, John W" <>
- To: Karl Reuss <>, John Kristoff <>, Steve Wallace <>
- Cc: "" <>, "" <>
- Subject: Re: [Security-WG] [NTAC] Based on community input, suggesting an DNS Resilience Initiative
- Date: Fri, 6 Dec 2019 16:58:33 +0000
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=isc.upenn.edu; dmarc=pass action=none header.from=isc.upenn.edu; dkim=pass header.d=isc.upenn.edu; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=toQ7f3WZbbtj7+rG6sHN40YFcUmcC6XsSYOk8AYHq0Y=; b=S72Sp3rtNluRAN7eCcK2632C5KMZM+U14E0F80qyR7INkw/+rg3u2J+8AuwOrF6c1mRi3ioebeWcNBgeJ1o+Eq+6GWTxUwSRuD5xeeK2ZdoLCwhEKA+TfHsTlGvYK2au75u3iUH2W9IZU4F6caxLccMzF3j3+2gBSfkLIDoMwTCXbDruHRQRZRHWBC39L8CTEsBl1wRaNPp982amOvezEoxTdE9D3EtP9nbenQtIg1wLR6UTJXu/vvA880h+HVqpa4DeoUxowp2rmLrfyhURsjOdxJwsthXHjnprDIkQq6bM2NhnU/yEwo2/EE2b136SpS3ulp5NJqB3dCE6RoRpcw==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=nieM9wcwLShernbu+9Rz7vG56a41kT+N4GFDVfsrz+zA4a0mpSxHwwLTZxiDYcAl+5i1jfpgN7TOz//skacqFWHlSc2woGMjOTgyQoSHEXFihzh9pMZZpX5GwttrhMNzaG4usYmrUzGjQann9ANvsss3BjANMbunodh0SkJmsr99iGRW4gHh2KwfRP7uoM8kp62bSx678KpL+QlXS6PWQ53qJPyA9aaoU9JEoOjC+bltmIiO1PStx60Y5xLCttndkCXeFkgXIi8gU3vXN8EgvON9cZo9d8fsmsxYRKxx6/kKj+uqoQKP8QzBML+pvZ1QF6zaZXrI5jfz9oq6yQA3qg==
"DNSSEC is tedious to setup" sounds like it harkens back to the early (dark)
days of DNSSEC. My experience lately is that DNSSEC validation couldn't
possibly be easier to setup---some implementations have even started enabling
it by default---and that signing is quite straight forward. Maybe that means
I should give one of these tutorials of which you speak. __
On 2019/12/06, 11:21, " on behalf of Karl Reuss"
< on behalf of > wrote:
On 12/5/19 9:13 PM, John Kristoff wrote:
> Alternatively, an Internet2 owned and operated authoritative,
> secondary, or resolver service might also be a worthwhile member
> benefit to take advantage of. If Internet2 could run some anycast
> instances for us to secondary on as part of our membership fee or for
> a nominal fee, that would be really, really nice.
>
This is an excellent idea!
I would add DNSSEC tutorials to the list. DNSSEC is tedious to setup,
but helps with hardening both the authoritative and recursive sides of DNS.
-Karl
- Re: [Security-WG] [NTAC] Based on community input, suggesting an DNS Resilience Initiative, John Kristoff, 12/06/2019
- Re: [Security-WG] [NTAC] Based on community input, suggesting an DNS Resilience Initiative, Karl Reuss, 12/06/2019
- Re: [Security-WG] [NTAC] Based on community input, suggesting an DNS Resilience Initiative, O'Brien, John W, 12/06/2019
- Re: [Security-WG] [NTAC] Based on community input, suggesting an DNS Resilience Initiative, Bob Harold, 12/06/2019
- Re: [Security-WG] [NTAC] Based on community input, suggesting an DNS Resilience Initiative, Karl Reuss, 12/06/2019
- Re: [Security-WG] [NTAC] Based on community input, suggesting an DNS Resilience Initiative, O'Brien, John W, 12/06/2019
- Re: [Security-WG] [NTAC] Based on community input, suggesting an DNS Resilience Initiative, O'Brien, John W, 12/06/2019
- Re: [Security-WG] [NTAC] Based on community input, suggesting an DNS Resilience Initiative, Karl Reuss, 12/06/2019
Archive powered by MHonArc 2.6.19.