Is DNSSEC ready for wild life?

Published
by
cyco
1 year, 3 months ago
in Networking
. Tags: , , , .

Today the RIPE DNS for LIRs Training Course did take place. (some not up to date course material can be found here)
Managing some thousands of zones inclusive nameserver infrastructure behind since several years, I thought it would be neat to provide a secure dns chain to our costumers.
After going deeper into the material within the course, I recognized the following impacts:

  • only bind9 (>= 9.3) and NSD privides support (yet)
  • bandwidth will be increased 2-3 times with max. key size
  • increased memory usage depending on your server software
  • operational costs will increasing dramaticaly due significant higher amount of regular work
  • more computing power (hardware) needed to generate dnssec ready zones and signing
  • unknown influence on resolving nameservers (load/memory/bandwidth)
  • chain of trust ends at resolving nameserver and is not provided to enduser

Since the last issue isn’t solved (yet), it doesn’t make any sence for me to invest resources into setting up DNSSec infrastructur, cause the end user would not recognize if the communication with the resolving nameserver or the resolving nameserver itself is taken over.

Any complaints and/or hint? Did I missed something?

Creative Commons License
The Is DNSSEC ready for wild life? by Cyconet Blog, unless otherwise expressly stated, is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License. Terms and conditions beyond the scope of this license may be available at blog.waja.info.

1 Response to “Is DNSSEC ready for wild life?”

Feed for this Entry Trackback Address
  1. 1 T. Korpela
    1 year, 3 months ago.

    Interesting story about DNSSEC and DNS in LWN.net:
    http://lwn.net/Articles/230050/

Leave a Reply

Too Cool for Internet Explorer