[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On 18/05/13 01:12, bad apple wrote: > > Even the techies I know seem to have a blind spot about this: SSH, mail > and web servers are all locked down and well looked after whilst DNS > just swings in the wind. There is even a three-step wizard in bloody > Server 2012 (Microsoft) that correctly implements DNSSEC on your zones, > for the love of god. So, if you admin any DNS servers and aren't running > DNSSEC on them, please also kill yourself now. I don't know it is a blind spot, it may be a rational response to the environment which exists. DNSSEC is not simply a case of signing your zones, anyone can sign a zone file it is one command in dnssec-tools (who needs a wizard?), it also requires trust management, and that is the messy bit. It was only just over 2 years since the folks running .ORG finished convincing themselves they could do a zone transfer successfully with DNSSEC, and they had to make some fixes after that report was done to their interfaces. To choose to implement it, we'd do it everywhere (we can't be messing about with some TLDs and not others, some registrars and not others), we need every registry we use to be on board and up to speed, I think that is now (finally) the case. We also want most registrars we do transfers with, which is potentially all of them, to be up to speed, to avoid outage on zone transfers (not happened yet). In our case we would probably have to switch most of our domains to a new registrar, as one of the current ones doesn't implement a proper procedure for DS delegation yet (they are late to the party). As such it can't be routine, they still take DS delegation requests by email, I can send then several thousand emails fairly swiftly if I choose to implement DNSSEC. I'm guessing it might take them a while to process them. The upshot of getting it right is great, get it wrong and you break a small number of user's access to the DNS in ways which aren't reported to end users clearly. This is not a good situation to present to management: "I want to rewrite all the scripts we use for DNS management, I want to make fundamental changes to how DNS works here, I want to migrate all zones to a new registrar, it will protect a few people from an attack you've never seen as a problem. I want to complicate an already messy domain transfer procedure. The best case scenario is everything works as before, the worst case scenario is we break the DNS for some of our customers users (they'll know it is our fault but they might not be able to explain what we did in their support requests)". Management are likely to say "can we do this some other way", and I can say "we could sell all our clients who want this sort of protection SSL certificates and pocket a tidy profit per client" in the process. The cost of implementation of these changes is going to be fairly substantial, and the benefits are marginal (we can say we support DNSSEC on the website when selling domains). These types of change are not going to happen unless there is a mandate - like .GOV users had, or a client who demands it and is big enough financially to be worth the costs. Most end users as far as I can establish are not validating DNSSEC responses. Folks do try: http://dnssectest.sidn.nl/test.php http://dnssec.vs.uni-due.de/ I'm protected - when I looked at public open resolvers not long ago, I found the situation was dire. Seems Google now do DNSSEC validation on 8.8.8.8 and 8.8.4.4 seems it was added 12 days ago! http://googleonlinesecurity.blogspot.co.uk/2013/03/google-public-dns-now-supports-dnssec.html Validating DNSSEC is the easy bit all most people need to do is switch it on in your resolver software. I can imagine Google's was harder work than that purely from a question of scale. If I was trying hard to sell DNSSEC to management, I might plug it is as making it harder for clients to move domains away ;) -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq