US government mandates? use of DNSSEC by federal agencies

David Conrad drc at virtualized.org
Wed Aug 27 12:14:48 CDT 2008


On Aug 27, 2008, at 9:33 AM, Jared Mauch wrote:
>> So the question I have is... will operators (ISP, etc) turn on DNSsec
>> checking?

Some ISPs already do (I believe Telia-Sonera in SE in one).

>> Or a more basic question of whether you even _could_ turn on
>> checking if you were so inclined?

You can turn on DNSSEC if you are running BIND 9, Unbound, or Nominum  
CNS as a caching server.  If you are running DJB's dnscache, PowerDNS,  
or using OpenDNS's service, you don't have the option.  If you're  
running BIND 8 or BIND 4, kill yourself now.

> 	I know that we made sure it was turned on as part of our
> patch process for our customer facing resolvers.  IIRC the default
> may have changed in bind as well if you actually read the changelog.
>
> 2405.   [cleanup]       The default value for dnssec-validation was  
> changed to
> 			"yes" in 9.5.0-P1 and all subsequent releases; this
> 			was inadvertently omitted from CHANGES at the time.

In BIND, there appear to be 3 things that have to be configured for  
DNSSEC to do anything useful:

options { dnssec-enable yes; dnssec-validation yes; };

and

trusted-keys { <the trust anchors for zones you want to validate>; };

If all of these aren't set correctly, DNSSEC might as well be off.   
I'm told, however, that BIND (since version 9.1) and Unbound default  
to always sending the "DNSSEC OK" bit on so if the zone you're talking  
to is signed, DNSSEC cruft will be returned regardless of whether your  
caching server is configured to do anything with it.

In some future and/or alternate universe, all you'll need is a single  
trust anchor for the root after it gets signed.  Until that time, you  
have to list the trust anchors for all the zones you want to  
validate.  Right now, there are 4 signed TLDs (SE, BR, PR, BG) and the  
RIPE in-addr.arpa/ip6.arpa trees are signed.  There are also a few  
other scattered zones that are signed, see http:// 
secspider.cs.ucla.edu/ for a list.

Note that if you do turn on DNSSEC, you're going to have to make sure  
the trust anchors you configure get updated.  Trust anchors have a  
validity period and if they're not updated before they expire  
validation will fail (which will appear to users of the resolver  
pretty much like a DNS failure for all the names in the signed zone).   
"Be careful out there."

Regards,
-drc




More information about the NANOG mailing list