US government mandates? use of DNSSEC by federal agencies
David Conrad
drc at virtualized.org
Wed Aug 27 17:14:48 UTC 2008
On Aug 27, 2008, at 9:33 AM, Jared Mauch wrote:
>> So the question I have is... will operators (ISP, etc) turn on DNSsec
>> checking?
Some ISPs already do (I believe Telia-Sonera in SE in one).
>> Or a more basic question of whether you even _could_ turn on
>> checking if you were so inclined?
You can turn on DNSSEC if you are running BIND 9, Unbound, or Nominum
CNS as a caching server. If you are running DJB's dnscache, PowerDNS,
or using OpenDNS's service, you don't have the option. If you're
running BIND 8 or BIND 4, kill yourself now.
> I know that we made sure it was turned on as part of our
> patch process for our customer facing resolvers. IIRC the default
> may have changed in bind as well if you actually read the changelog.
>
> 2405. [cleanup] The default value for dnssec-validation was
> changed to
> "yes" in 9.5.0-P1 and all subsequent releases; this
> was inadvertently omitted from CHANGES at the time.
In BIND, there appear to be 3 things that have to be configured for
DNSSEC to do anything useful:
options { dnssec-enable yes; dnssec-validation yes; };
and
trusted-keys { <the trust anchors for zones you want to validate>; };
If all of these aren't set correctly, DNSSEC might as well be off.
I'm told, however, that BIND (since version 9.1) and Unbound default
to always sending the "DNSSEC OK" bit on so if the zone you're talking
to is signed, DNSSEC cruft will be returned regardless of whether your
caching server is configured to do anything with it.
In some future and/or alternate universe, all you'll need is a single
trust anchor for the root after it gets signed. Until that time, you
have to list the trust anchors for all the zones you want to
validate. Right now, there are 4 signed TLDs (SE, BR, PR, BG) and the
RIPE in-addr.arpa/ip6.arpa trees are signed. There are also a few
other scattered zones that are signed, see http://
secspider.cs.ucla.edu/ for a list.
Note that if you do turn on DNSSEC, you're going to have to make sure
the trust anchors you configure get updated. Trust anchors have a
validity period and if they're not updated before they expire
validation will fail (which will appear to users of the resolver
pretty much like a DNS failure for all the names in the signed zone).
"Be careful out there."
Regards,
-drc
More information about the NANOG
mailing list