On 10/3/2011 11:45 PM, Stephane Bortzmeyer wrote:
Experience of DNSSEC deployment (see my paper at SATIN <http://conferences.npl.co.uk/satin/papers/satin2011-Bortzmeyer.pdf>) shows that custom programs have many timing bugs. Many things can go wrong Why not using an existing program such as OpenDNSSEC ?
From a quick read of your paper, I see you discovered many rollover timing issues in the wild, but it doesn't look like those are correlated with any particular tool. Other than knowing a given domain had an issue, you have no idea what caused it, or what tool they may have been using, and it is only an assumption that the issue arose from a custom program... They could well have been using some existing programs such as OpenDNSsec which presumably aren't guaranteed bug free :).
We initially implemented this over a year ago, but were delayed in deployment when it turned out our ISP (who provides secondary services) was running an ancient version of bind that didn't do dnssec 8-/. I didn't find any good solutions available at the time.
Taking a look at OpenDNSsec, I don't think I'd use it even if we were starting today; it is way over engineered for our requirements. I'm not a big fan of XML configuration files, and I don't particularly want a signing daemon running 24x7. The current capability of bind to automatically select which keys to use based on their timing data, with a minimal wrapper around it, provides more than enough functionality to manage our relatively simple zones.
dnssec is fairly complicated, and the issue of timing can be complex, but once the variables are determined than the actual procedures of implementation are pretty simple. Generate keys with appropriate publication, activation, inactivation, and deletion timings, and then use them ;). My hope from my initial posting was to get a little peer review of the appropriateness of the timings I've selected...
-- Paul B. Henson | (909) 979-6361 | http://www.csupomona.edu/~henson/ Operating Systems and Network Analyst | hen...@csupomona.edu California State Polytechnic University | Pomona CA 91768 _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
