• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Main Menu

DNSSEC

Started by Hello71, March 27, 2014, 04:36:50 AM

Previous topic - Next topic

Hello71

There are some old threads about this, but nothing recent.

Has HE considered DNSSEC for reverse IPv6 or regular zones?

kcochran

There are still some hurdles keeping this from being an available item yet.

fenton

QuoteThere are still some hurdles keeping this from being an available item yet.

Without knowing what the hurdles are, it's hard to know what is possible. But it would be nice (for me, at least) if, as a slave DNS server, the he.net nameservers would at least respond with the RRSIG records when they are present. I can see them in my zone (they transferred from my master) but aren't sent in response to queries.  So I'll need to make other arrangements for any zones that I plan to deploy DNSSEC on.

I can't complain because I'm not paying anything for this service (and thanks; I don't want to sound ungrateful). But given how progressive he.net is on IPv6 support, I'm a little surprised they aren't further along with DNSSEC.

snarked

I agree, but it's a matter of the DNS software HE uses and its lack of support until lately.

For now, it looks as if DNSSEC can be enabled for secondary-served zones (see Chapter 12.8.1 of your DNS software's manual).  Primary zones hosted at HE are much more involved.

kcochran

Quote from: snarked on April 08, 2014, 01:35:52 PM
For now, it looks as if DNSSEC can be enabled for secondary-served zones (see Chapter 12.8.1 of your DNS software's manual).  Primary zones hosted at HE are much more involved.

If only that knob didn't carry a _lot_ of overhead along with it.

snarked

That I didn't look into.  I only note it's capable; not if it's a "turtle or hare."

passport123

Quote from: kcochran on March 27, 2014, 06:03:41 AM
There are still some hurdles keeping this from being an available item yet.

[bump]

Any idea when DNSSEC might be available?

kriteknetworks

I'm sure it will get announced when it is available.

passport123

 :)

Yes, I'm sure it will be announced when available.

The reason I asked, however, is that I was wondering whether it might be a few weeks, months or [gasp] years.  For example, if it is not going to happen this year, then I'll alter my plans.  The he.net DNS has been most excellent for me, so I would be very reluctant to move a domain to some unknown elsewhere unnecessarily.

That's all. I wasn't looking for a hard/fast date, just a ballpark ~around the end of this year~ or ~maybe late next year~ type of thing.


hstrauss

Since I don't think this is a necro-post (since it was already revived), I'll post here.

I've recently received correspondence from the ISC that the DLV is being sunsetted. As of (early-) 2016, zones that could validate to the Root will be removed and disabled from the DNSSEC Lookaside Validation Registry (dlv.isc.org). This means that this commonly-used alternative Trust Anchor will not validate reverse delegations held within it.

So this is just a(nother) bump to the "registrar" (if that's even valid for reverse delegations) to push for DS records by 2016, if at all possible. :)

Source: presentations linked from: https://www.isc.org/blogs/dlv/

realdreams

People has been asking about DNSSEC for years. Is HE concerned about the attack vectors coming with DNSSEC?

passport123

My guess would be that HE is concerned about attack vectors for anything and everything they do.  It's in their DNA.  You cannot do what HE does without such concern.   :)

My experience with implementing DNSSEC on one of my domains taught me that there are a lot of knobs that need tending and need to be set correctly.  For example, one major DNS hosting provider did not pass the dnsviz.net DNSSEC testing tool cleanly, although the implementation seemed to work OK. 

While I'm looking forward to HE's DNSSEC, I can understand the need for a methodical implementation and release.  In my experience, HE's DNS has been very, very reliable, and I'm sure HE does not want to change that.