« hello world | Main | Bananagrams »

November 26, 2008

Breaker...Breaker.....DNSSEC will only rollout if we do it in baby steps

It seems that people are reluctant to do DNSSEC until there is  a huge rollout across the world and the root zone is signed.  Well guess what?  It won't happen that way.  It's going to happen in baby steps, one piece at a time.  Eventually critical mass will be achieved.  I'd like to predict how that rollout will occur over the next several blogs I publish.  In the meantime, a little background:

It turns out that DNSSEC is a lot like CB or ham radio.  You have a transmitter, you have receivers.  In the case of DNSSEC, you have authoritative DNS servers that sign their data (the transmitters), and caching servers that validate the signatures upon reception (the receivers).

There has been a lot of news lately about ramping up the number of transmitters.  The signing of .GOV and .ORG are noteworthy.  The secspider at UCLA shows the number of signed zones climbing  (http://secspider.cs.ucla.edu/).l

But what about the receivers?  Some large organizations like Comcast have set up trial sites (http://www.dnssec.comcast.net/), but I think we're missing a huge opportunity here.  The average DNS administrator probably doesn't know jack about setting up DNSSEC. 
 
Can we fix this? Are the DNS servers out there at least sort-of-possibly "ready" to do DNSSEC?  The answer is YES.   Although this article at networkworld (http://www.networkworld.com/news/2008/111008-dns-server-kaminsky.html?hpg1=bn) writes about how many servers HAVEN'T been patched for the Kaminsky exploit, it's easy to turn it around to see that a huge number of servers have upgraded their DNS.  This means there are LOTS of DNS servers out there that are at least capable of doing DNSSEC -- the "receiver" side of the equation. 

Now we need to make it "falling off a log easy" for Joe Administrator to actually turn DNSSEC on and set up a safe set of Trust Anchors.  If we do that, we complete the circuit.  We have transmitters AND receivers.  BREAKER BREAKER!  (ok,I never did own a CB radio, and I'm lousy at faking the lingo, but what the heck...)

Next blog:  ideas on how to get Joe Administrator to actually turn DNSSEC on at sites around the world.

Posted by Joe Gersch at 11:56 AM in DNS / BIND / DNSSEC |

Technorati Tags:

|

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a0105358317d8970c01053622f0ed970c

Listed below are links to weblogs that reference Breaker...Breaker.....DNSSEC will only rollout if we do it in baby steps:

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

Verify your Comment

Previewing your Comment

Posted by:  | 

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been posted. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Enter your email address:

Delivered by FeedBurner

About

Disclaimer

  • All views and opinions expressed on this blog belong to me, the author, and are not those of any current or past employers, investors, or anyone else.

Categories

Resources

Blogroll

Archives

Misc

  • Add to Technorati Favorites
Blog powered by TypePad