Skip to Content.
Sympa Menu

netsec-sig - Re: [Security-WG] [NTAC] Based on community input, suggesting an DNS Resilience Initiative

Subject: Internet2 Network Security SIG

List archive

Re: [Security-WG] [NTAC] Based on community input, suggesting an DNS Resilience Initiative


Chronological Thread 
  • From: "O'Brien, John W" <>
  • To: Karl Reuss <>, John Kristoff <>, Steve Wallace <>
  • Cc: "" <>, "" <>
  • Subject: Re: [Security-WG] [NTAC] Based on community input, suggesting an DNS Resilience Initiative
  • Date: Fri, 6 Dec 2019 20:27:16 +0000
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=isc.upenn.edu; dmarc=pass action=none header.from=isc.upenn.edu; dkim=pass header.d=isc.upenn.edu; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=yFn//TfQXMRVcrx7CENQD1aZ8EJb1fpmrYWt3tHkRuA=; b=CblzcHQ7HF97lNdhJuX/xiTYrMM5hGc8P15k8gZ+QFKS66ut5mT20e3Om/gFesYB5XRCvI9KVwjZCdLmQK2bYWsmlpXM+oAizKhpoesntPkT9Zs2p0/P4zc8zKJEr28fL8qACygffl1r8nDml2wKLDGIz3LEbUpvCH+NdtGSvWwIvNPRTAjKP2/cdQfBUaB1UkRRcsdrer37erWRGDmw/N/otnvj3Ym9AUJPclPPm37qjs65gDa0iRy53IF4FyBSKtf/LO3fHS60lHdfOjmsLr1aFLZH1ZY+qe1M4hStNmBgUogsw4cxPPAchSlPAQeUNeJ4+hea/qji02MVeMIUGw==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=QFioY/IuF9ajTTDNvxDMVTk4qippvghjShu+ZkU2mrWtYHNr4X4y+JNw9nccnBlV66V7Y1X3Gc1GUALC4ToWSXmtyI2HAt1fjrRHy1G+0QTyKRlDdN/J35cUr8tgRbDzxy/9knfFQBHPsLOK1cMqUYoApun8hFHcHHfpzDoGfO4CRAkLoEAkKfCsMAPqX2GifZrvDJ4INOaxHVUVzAsbAlciT2RXz/B1KeWPgzKhaxbcLdHXNIBn9bto3rXayUublJ3OnJeQb+85FmBZD/xQhaHEYd1o6SEdG3Md9MSv6cMSvGJAzCoSiLRPa3/3Et/wPBAOpKV5Td8HMIEt85ybKA==

I agree entirely that DNSSEC adoption is slow, and I expect its reputation
for being difficult to deploy and having particularly gnarly failure modes is
a big part of that. What I was getting at is that perhaps enough of those
sharp edges have been smoothed over that it would be a good time for folks to
take another look. Tutorials and reports of operational experience would
surely help.

Incidentally, I have asked EDUCAUSE to add support for CDS and CDNSKEY to
make KSK maintenance easier. If others bring this up too, perhaps it will
gain traction.

On 2019/12/06, 15:17, "Karl Reuss" <> wrote:

Maybe tedious isn't the right word. Overwhelming? I just run a very
unscientific test with a few scripts. I looked at all speakers for the
upcoming TechEX and grepped for 'University'. I found 42 corresponding .edu
DNS names, but only three of them have DS records. upenn.edu is one of the
few. Something is slowing the adoption of DNSSEC in higher-ed.

-Karl


On 12/6/19 11:58 AM, O'Brien, John W wrote:
> "DNSSEC is tedious to setup" sounds like it harkens back to the early
(dark) days of DNSSEC. My experience lately is that DNSSEC validation
couldn't possibly be easier to setup---some implementations have even started
enabling it by default---and that signing is quite straight forward. Maybe
that means I should give one of these tutorials of which you speak. __
>
> On 2019/12/06, 11:21, " on behalf of Karl
Reuss" < on behalf of > wrote:
>
> On 12/5/19 9:13 PM, John Kristoff wrote:
> > Alternatively, an Internet2 owned and operated authoritative,
> > secondary, or resolver service might also be a worthwhile member
> > benefit to take advantage of. If Internet2 could run some anycast
> > instances for us to secondary on as part of our membership fee or
for
> > a nominal fee, that would be really, really nice.
> >
>
> This is an excellent idea!
>
>
> I would add DNSSEC tutorials to the list. DNSSEC is tedious to
setup, but helps with hardening both the authoritative and recursive sides of
DNS.
>
>
> -Karl
>
>
>
>
>







Archive powered by MHonArc 2.6.19.

Top of Page