North American Network Operators Group
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: US government mandates? use of DNSSEC by federal agencies

  • From: David Conrad
  • Date: Wed Aug 27 13:15:54 2008
On Aug 27, 2008, at 9:33 AM, Jared Mauch wrote: 
So the question I have is... will operators (ISP, etc) turn on DNSsec
checking?

Some ISPs already do (I believe Telia-Sonera in SE in one).

Or a more basic question of whether you even _could_ turn on
checking if you were so inclined?

You can turn on DNSSEC if you are running BIND 9, Unbound, or Nominum CNS as a caching server. If you are running DJB's dnscache, PowerDNS, or using OpenDNS's service, you don't have the option. If you're running BIND 8 or BIND 4, kill yourself now.

	I know that we made sure it was turned on as part of our
patch process for our customer facing resolvers.  IIRC the default
may have changed in bind as well if you actually read the changelog.

2405. [cleanup] The default value for dnssec-validation was changed to
"yes" in 9.5.0-P1 and all subsequent releases; this
was inadvertently omitted from CHANGES at the time.

In BIND, there appear to be 3 things that have to be configured for DNSSEC to do anything useful:

options { dnssec-enable yes; dnssec-validation yes; };

and

trusted-keys { <the trust anchors for zones you want to validate>; };

If all of these aren't set correctly, DNSSEC might as well be off. I'm told, however, that BIND (since version 9.1) and Unbound default to always sending the "DNSSEC OK" bit on so if the zone you're talking to is signed, DNSSEC cruft will be returned regardless of whether your caching server is configured to do anything with it.

In some future and/or alternate universe, all you'll need is a single trust anchor for the root after it gets signed. Until that time, you have to list the trust anchors for all the zones you want to validate. Right now, there are 4 signed TLDs (SE, BR, PR, BG) and the RIPE in-addr.arpa/ip6.arpa trees are signed. There are also a few other scattered zones that are signed, see http:// secspider.cs.ucla.edu/ for a list.

Note that if you do turn on DNSSEC, you're going to have to make sure the trust anchors you configure get updated. Trust anchors have a validity period and if they're not updated before they expire validation will fail (which will appear to users of the resolver pretty much like a DNS failure for all the names in the signed zone). "Be careful out there."

Regards,
-drc