On Thu, Feb 23, 2012 at 9:00 PM, michoski <micho...@cisco.com> wrote: > On 2/23/12 8:48 PM, "vinny_abe...@dell.com" <vinny_abe...@dell.com> wrote: > >> I kind of had the same thought... If ISC had a DNS outage due to expired >> signatures of a zone, what chance do I have in successfully deploying and >> maintaining DNSSEC for my zones? Sure, everyone makes mistakes, but I think >> it >> speaks volumes to the inherent complexity and the further need for >> simplifying >> the maintenance of signed zones. I know that progress is continually being >> made on this front and I think others agree... Just pointing it out again. I >> have nothing against DNSSEC, personally. I'd love to deploy it. I just don't >> have the time to maintain it or worry about maintaining it right now. > > Much agreed, though I want to point out that you should only generally > deploy DNSSEC (or any new technology?) if the benefit outweighs the cost. > Adopting new technology "just because" usually leads to trouble (or > overworked admins that give up and go elsewhere). > > What's the potential risk to your organization if the mythical "determined > attacker" is able to negatively or positively spoof resource records under > your control? Maybe not much for you, maybe millions for financial orgs. > > If the potential cost to the organization is high enough... It will justify > paying a team of folks to maintain DNSSEC. :-) > > That said, I too look forward to a day when security is easier and more > automatic. Much progress has been made, and I have high hopes and faith in > ISC and the DNS community at large. > > http://www.jnd.org/books.html
FWIW, we have been signing daily and rolling ZSKs every 2 weeks for over a year with no glitches at all, though we are using a non-BIND solution (Secure64) to do the signing. Still, it tells me that it is possible and I suspect that BIND 10 will move closer to that point. -- R. Kevin Oberman, Network Engineer E-mail: kob6...@gmail.com _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
