lists.isc.org rDNS failed, DNSSEC?

[Kevin Oberman]

On Thu, Feb 23, 2012 at 9:00 PM, michoski <michoski at cisco.com> wrote:
> On 2/23/12 8:48 PM, "Vinny_Abello at Dell.com" <Vinny_Abello at Dell.com> wrote:
>
>> I kind of had the same thought... If ISC had a DNS outage due to expired
>> signatures of a zone, what chance do I have in successfully deploying and
>> maintaining DNSSEC for my zones? Sure, everyone makes mistakes, but I think it
>> speaks volumes to the inherent complexity and the further need for simplifying
>> the maintenance of signed zones. I know that progress is continually being
>> made on this front and I think others agree... Just pointing it out again. I
>> have nothing against DNSSEC, personally. I'd love to deploy it. I just don't
>> have the time to maintain it or worry about maintaining it right now.
>
> Much agreed, though I want to point out that you should only generally
> deploy DNSSEC (or any new technology?) if the benefit outweighs the cost.
> Adopting new technology "just because" usually leads to trouble (or
> overworked admins that give up and go elsewhere).
>
> What's the potential risk to your organization if the mythical "determined
> attacker" is able to negatively or positively spoof resource records under
> your control?  Maybe not much for you, maybe millions for financial orgs.
>
> If the potential cost to the organization is high enough...  It will justify
> paying a team of folks to maintain DNSSEC.  :-)
>
> That said, I too look forward to a day when security is easier and more
> automatic.  Much progress has been made, and I have high hopes and faith in
> ISC and the DNS community at large.
>
> http://www.jnd.org/books.html

FWIW, we have been signing daily and rolling ZSKs every 2 weeks for
over a year with no glitches at all, though we are using a non-BIND
solution (Secure64) to do the signing. Still, it tells me that it is
possible and I suspect that BIND 10 will move closer to that point.
-- 
R. Kevin Oberman, Network Engineer
E-mail: kob6558 at gmail.com