On 2011-06-14, at 19:44, Craig Whitmore wrote:
What are people going to run as authoritative servers for DNSSEC ? Bind? PowerDNS ? OpenDNSSEC ? Windows? Other Commercial Program?
I've had some success with BIND9 and NSD serving signed zones. The root servers use a mixture of BIND9 and NSD, for example, as does (I believe) the DNS infrastructure for .ORG. OpenDNSSEC is a signer, not a nameserver: it produces zones which you then need an authority-only nameserver to serve. I haven't been paying attention to PowerDNS, but I know Bert had mentioned working on DNSSEC support. (Oh look, top hit on google ?q=powerdns+dnssec, http://wiki.powerdns.com/trac/wiki/PDNSSEC). No idea about Windows. In the interests of fairness, you should bing that yourself.
Are ISP's going to turn on DNSSEC/Validation on their own Recursive Name Servers as well?
Several large ISP and University networks in the world have done so. DNSSEC is ultimately a tool to protect the cache from poisoning attacks, so turning on DNSSEC validation on those servers does make a certain amount of sense. At the end of the day, if nobody validates responses then signing is a bit of a waste of time. I might mention that validation at this (relatively) early period of DNSSEC adoption is going to probably involve giving more attention to the recursive server than you are used to, and more than we might hope will be required in the future as authority-server operators gain more operational experience with signed zones.
Lots of other questions but if any other Registrar's/ISP want to discuss regarding what they are going I will listen.
Joe