Getting ready for DNSSEC – One small step

DNSSEC is going to be a major PITA. So far it’s sufficiently painful to have almost no deployment. I’m reasonably confident that either someone will have an incredibly great idea for an easy to deploy alternative or any of us who have anything to do with DNS are going to have to suck up the pain and learn to love it.
Most of you already probably heard about the Kaminsky DNS cache poisoning attack. I had my own little part in cleaning up the mess. What I suspect fewer people know is that the ‘fix’ was not a fix in the true sense of the word at all. What the fix did was push the statistics away from a successful attack. I’ve read reports of successful attacks on patched systems, but I really have no way of knowing how accurate they are.
Some people claim the attack was over-hyped, but I’m not one of them. I think DNS had a near death experience that it can never fully recover from. I have no idea what the next attack will be, but I’m pretty sure it’s coming.
Doing my little bit to make the world a better place, I noticed that the latest major release of DKIM Milter included support for DNSSEC if the package was built with the Unbound DNS resolver. I’ve uploaded this change to Jaunty.
Additionally, I updated Unbound to the current release and configured it to be in a chroot (upstream default). So if you’re interested in DKIM or other email authentication technologies, here’s your shot to also play with DNSSEC and get a bit ahead of the power curve.


0 Responses to “Getting ready for DNSSEC – One small step”

  1. Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s


%d bloggers like this: