michoski <micho...@cisco.com> wrote: > > It's basically a risk analysis game. You should be able to think through > common use cases for your service, and identify places where DNSSEC would > add value. Your business values validity of its DNS data, or not.
Apart from protecting the DNS itself, there aren't yet many applications that make use of DNSSEC. The ones I know of are ssh (SSHFP records to avoid leap-of-faith authentication) and Google Chrome 14+. And hopefully before too long the IETF DANE working group will finish their specification for anchoring TLS certificates in the DNS. But DNSSEC deployment with BIND is getting simpler. It's pretty much a no-brainer to enable validation on your recursive servers. It isn't actually that hard to sign authoritative zones, especially if your tooling is already based on dynamic DNS updates. Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ Southwest Forties, Cromarty, Forth, Tyne, Dogger: Southeasterly veering southerly or southwesterly, 5 to 7, perhaps gale 8 later in Cromarty, decreasing 4 or 5. Moderate or rough. Rain or showers. Good, occasionally poor. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
