On 15/06/11 1:48 PM, "Glen Eustace"
On 06/15/2011 11:44 AM, Craig Whitmore wrote:
I guess the next question what are .nz registrar's/ISPs going to do regarding DNSSEC.
An earlier posting in this thread, by me, got no feedback so I will raise the issue again. The technology is only one part of the equation. What, if anything, is going to be required by DNS Operators ( who may or may not be Registrars ) with respect to processes and procedures associated with signing, key management, auditing etc.
I presume not any less than the NZRS is doing.
My first experiment with this a few months ago was less than successful, I am using BIND9 and turning on some of the DNSSEC features resulted in some zones no longer being accessible. Why ? No idea. Did I do everything right ? I thought so but based on the result, probably not.
Yes I had the same/similar problem when following the instructions on bind 9.7 . They changed quite a few things in different versions of 9.7 with different options in all these versions. I upgraded to 9.8 and it works fine with these important extra settings only. dnssec-enable yes; dnssec-validation auto; dnssec-lookaside auto; This will use the the lookaside (dlv.isc.org) as well as the root servers. So when you do this looking up a domain with broken DNSSEC (like spam.co.nz is at the moment) syslog: error (broken trust chain) resolving 'www.spam.co.nz/A/IN': 114.23.33.131#53 nslookup www.spam.co.nz ** server can't find www.spam.co.nz: SERVFAIL So people have to be careful in the future (right now) not to break your DNSSEC or people might not be able to see you.
I too would value any ideas, experiences, how-to and how-not-to's that others have got. Hopefully getting the DNSSEC infrastructure at the Regsitrar/DNS Operator level can become almost cook-book. As Joe has pointed out, without validation, signing zones is a bit pointless.
My Experience/howto with powerdns and the NZRS stuff is @ http://www.geekzone.co.nz/LennonNZ/7692 I've updated it over time when I work out how things actually work/should work. Thanks Craig