Compelling Reason for Deploying DNSSEC
Tony Finch
dot at dotat.at
Fri Sep 16 11:54:51 UTC 2011
michoski <michoski at cisco.com> wrote:
>
> It's basically a risk analysis game. You should be able to think through
> common use cases for your service, and identify places where DNSSEC would
> add value. Your business values validity of its DNS data, or not.
Apart from protecting the DNS itself, there aren't yet many applications
that make use of DNSSEC. The ones I know of are ssh (SSHFP records to
avoid leap-of-faith authentication) and Google Chrome 14+. And hopefully
before too long the IETF DANE working group will finish their
specification for anchoring TLS certificates in the DNS.
But DNSSEC deployment with BIND is getting simpler. It's pretty much a
no-brainer to enable validation on your recursive servers. It isn't
actually that hard to sign authoritative zones, especially if your tooling
is already based on dynamic DNS updates.
Tony.
--
f.anthony.n.finch <dot at dotat.at> http://dotat.at/
Southwest Forties, Cromarty, Forth, Tyne, Dogger: Southeasterly veering
southerly or southwesterly, 5 to 7, perhaps gale 8 later in Cromarty,
decreasing 4 or 5. Moderate or rough. Rain or showers. Good, occasionally
poor.
More information about the bind-users
mailing list