Firms Tackle Security Flaw In Web Addressing System
John Hascall
john at iastate.edu
Fri Jul 11 13:14:46 UTC 2008
> DNSSEC is NOT complex to deploy. There is NOT a steep
> learning curve. And while DNSSEC does use more resourse
> most nameservers could turn it on and not notice.
>
> http://www.isc.org/sw/bind/docs/DNSSEC_in_6_minutes.pdf
>
> I've helped teach DNSSEC to engineers who have never run a
> nameserver until a few days before.
Well, maybe I'm a moron then because I couldn't even read your (ISC's)
77 page document in 6 minutes let alone learn it well enough
to feel confident I understood it. And then for us to implement
it for 1500 zones on 11 servers is a whole 'nother kettle of fish.
One thing that did catch my eye was, in your example, signing the
zone file caused it grow 11-fold (2378 bytes -> 26970 bytes).
Is this typical? Can we expect our ~GB of zone data to become 11GBs?
Is there then a corresponding increase in network traffic?
Also as a "NetReg" site we are heavily into dynamic dns update - how,
if at all, is that effected?
Further we are also a Hesiod site -- any implications there?
Finally, is there a list of the tlds (.edu, .org, .net, .com, etc)
doing DS records at this point?
Thanks,
John
More information about the bind-users
mailing list