Since I read that the root is supposed to be signed by the end of the year, I am just trying to understand DNSSEC support and the various versions of BIND a little better here, so please don't throw too many rocks if I ask something stupid...
I run the nameservers for an ISP. For the recursive servers, what are the hazzards in enabling DNSSEC (once the root is signed, so no DLV necessary I guess)? I know the things that generally break with "regular" DNS, but I don't know that with DNSSEC (I know there have been DLV troubles but that's it). Currently, my servers run BIND 9.3.4-10.P1 (as patched by Red Hat in RHEL; we typically stick with their security patched version, since that's what we pay them for). What does that mean with .ORG for example, where NSEC3 is used? Would we just not see NXDOMAIN responses as validated (and what happens to unvalidated responses)? I've put in a request to Red Hat to update to a version that supports NSEC3 but I don't know what their response will be yet. For our authoritative servers, we'll need to set up a system to sign the zones. Is it expected that ISPs will sign every zone they serve, or just the domains we consider "important"? What kind of problems might be expected here? In both cases, what kind of CPU and/or RAM overhead will large-scale use of DNSSEC add? -- Chris Adams <cmad...@hiwaay.net> Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
