On Fri, Jan 31, 2014 at 05:00:44PM +0100, Johannes Bauer wrote:
> > Then, start planning to deploy DNSSEC for your domains. With care,
> > since one must not neglect to automate periodic re-signing of zone
> > files either daily or weekly, but in any case often enough to avoid
> > RRSIG expiration.
>
> Phew, that's a big one. I'm pretty much clueless on how DNSSEC works at
> all and already found configuring bind9/DNS relatively complicated to
> set up (admittedly with a non-trivial setup, but anyways). Why does DNS
> always have to be such a bitch to debug? Really frustrating. Oh well.
1. Use appropriate tools to generate a DNS key signing key and zone
key and automate periodic re-signing of your zone file via the
ZSK. The passphrase for the KSK should be kept offline, while
the ZSK is used for unattended re-signing of the zone file.
2. Configure some machine with explicit trust anchor keys for
your now signed zone, and run tests for a some weeks to make
sure that DNS lookups for the signed zone work consistently.
3. In the mean time get familiar with the tools and concepts.
Basically you have signatures on all your DNS records and
the signatures have relatively short (a few hours to a days)
expiration times. If you automate and monitor signing, so
that nobody ever sees expired signatures, you're fine.
Otherwise, your domain's data is "bogus" and you have an
outage.
4. Once you've had it working for a while and feel confident that
you can go live, work with your domain registrar (or find a new
one) to publish your domains's DS records in the parent domain.
5. Registrar lock your domain. Don't want some other compromised
registrar changing or removing your DNSSEC DS records.
This will take a while, but you have plenty of time. Don't rush
it, do it well. DNSSEC adoption is happening slowly so far, if you
have it done by 2015, you'll probably still be an "early adopter".
Once (soon I hope) the SMTP DANE draft specification is adopted as
a standards track RFC, I am hoping that DANE for SMTP will be
implemented by more MTAs and will motivate more people to adopt
DNSSEC. Perhaps Exim first, the Exim developers want to do it,
but have been starved for developer cycles.
If anyone on this list can help nudge another implementation along,
that would be great. If you're a customer of one of the border
email security appliance vendors (IronPort, Barracuda, ...) ask them
about DANE support. If your email is hosted by a major provider,
nudge them along, ...
--
Viktor.
