US government mandates? use of DNSSEC by federal agencies

Kevin_Oberman · August 26, 2008, 11:03pm

Date: Tue, 26 Aug 2008 16:53:24 -0400
From: "Bill Bogstad" <bogstad@pobox.com>

Not sure what this will actually mean in the long run, but it's at
least worth noting.

http://www.gcn.com/online/vol1_no1/46987-1.html
http://www.whitehouse.gov/omb/memoranda/fy2008/m08-23.pdf

It will mean something in the medium term as '.gov' and '.org' will be
signed very soon and OMB might be able to even get the root
signed. (Since OMB can pull funding, no one argues with them much.)
All of this will increase pressure on Verisign to deal with '.com' and
'.net'.

Note that this only has an impact on '.gov' and the zones immediately
below it, but I suspect most sub-domains of *.gov will be signed as a
result of this, even if it is not required.

Michael_Thomas · August 27, 2008, 4:22pm

Kevin Oberman wrote:

Date: Tue, 26 Aug 2008 16:53:24 -0400
From: "Bill Bogstad" <bogstad@pobox.com>

Not sure what this will actually mean in the long run, but it's at
least worth noting.

http://www.gcn.com/online/vol1_no1/46987-1.html
http://www.whitehouse.gov/omb/memoranda/fy2008/m08-23.pdf

It will mean something in the medium term as '.gov' and '.org' will be
signed very soon and OMB might be able to even get the root
signed. (Since OMB can pull funding, no one argues with them much.)
All of this will increase pressure on Verisign to deal with '.com' and
'.net'.

Note that this only has an impact on '.gov' and the zones immediately
below it, but I suspect most sub-domains of *.gov will be signed as a
result of this, even if it is not required.

So the question I have is... will operators (ISP, etc) turn on DNSsec
checking? Or a more basic question of whether you even _could_ turn on
checking if you were so inclined?

Mike

Jared_Mauch · August 27, 2008, 4:33pm

I know that we made sure it was turned on as part of our
patch process for our customer facing resolvers. IIRC the default
may have changed in bind as well if you actually read the changelog.

2405. [cleanup] The default value for dnssec-validation was changed to
"yes" in 9.5.0-P1 and all subsequent releases; this
was inadvertently omitted from CHANGES at the time.

- Jared

David_Conrad3 · August 27, 2008, 5:14pm

So the question I have is... will operators (ISP, etc) turn on DNSsec
checking?

Some ISPs already do (I believe Telia-Sonera in SE in one).

Or a more basic question of whether you even _could_ turn on
checking if you were so inclined?

You can turn on DNSSEC if you are running BIND 9, Unbound, or Nominum CNS as a caching server. If you are running DJB's dnscache, PowerDNS, or using OpenDNS's service, you don't have the option. If you're running BIND 8 or BIND 4, kill yourself now.

  I know that we made sure it was turned on as part of our
patch process for our customer facing resolvers. IIRC the default
may have changed in bind as well if you actually read the changelog.

2405. [cleanup] The default value for dnssec-validation was changed to
      "yes" in 9.5.0-P1 and all subsequent releases; this
      was inadvertently omitted from CHANGES at the time.

In BIND, there appear to be 3 things that have to be configured for DNSSEC to do anything useful:

options { dnssec-enable yes; dnssec-validation yes; };

and

trusted-keys { <the trust anchors for zones you want to validate>; };

If all of these aren't set correctly, DNSSEC might as well be off. I'm told, however, that BIND (since version 9.1) and Unbound default to always sending the "DNSSEC OK" bit on so if the zone you're talking to is signed, DNSSEC cruft will be returned regardless of whether your caching server is configured to do anything with it.

In some future and/or alternate universe, all you'll need is a single trust anchor for the root after it gets signed. Until that time, you have to list the trust anchors for all the zones you want to validate. Right now, there are 4 signed TLDs (SE, BR, PR, BG) and the RIPE in-addr.arpa/ip6.arpa trees are signed. There are also a few other scattered zones that are signed, see http://secspider.cs.ucla.edu/ for a list.

Note that if you do turn on DNSSEC, you're going to have to make sure the trust anchors you configure get updated. Trust anchors have a validity period and if they're not updated before they expire validation will fail (which will appear to users of the resolver pretty much like a DNS failure for all the names in the signed zone). "Be careful out there."

Regards,
-drc

Leo_Bicknell1 · August 27, 2008, 5:24pm

In a message written on Wed, Aug 27, 2008 at 10:14:48AM -0700, David Conrad wrote:

Note that if you do turn on DNSSEC, you're going to have to make sure
the trust anchors you configure get updated. Trust anchors have a
validity period and if they're not updated before they expire
validation will fail (which will appear to users of the resolver
pretty much like a DNS failure for all the names in the signed zone).
"Be careful out there."

While signing the root is the best solution, an alternate solution
until that happens is DLV, as documented in RFC 4431. You can run
your own setup, or trust someone to do it for you. Note that ISC
runs a DLV registry, if you wanted to trust them:
https://secure.isc.org/index.pl?/ops/dlv/