Hurricane Electric's IPv6 Tunnel Broker Forums

Advanced search  

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Author Topic: DNSSEC  (Read 7472 times)

Hello71

  • Newbie
  • *
  • Posts: 8
DNSSEC
« on: March 27, 2014, 04:36:50 AM »

There are some old threads about this, but nothing recent.

Has HE considered DNSSEC for reverse IPv6 or regular zones?
Logged

kcochran

  • Sr. Network Engineer, Hurricane Electric
  • Administrator
  • Sr. Member
  • *****
  • Posts: 413
Re: DNSSEC
« Reply #1 on: March 27, 2014, 06:03:41 AM »

There are still some hurdles keeping this from being an available item yet.
Logged

fenton

  • Newbie
  • *
  • Posts: 12
Re: DNSSEC
« Reply #2 on: April 07, 2014, 10:00:46 PM »

Quote
There are still some hurdles keeping this from being an available item yet.

Without knowing what the hurdles are, it's hard to know what is possible. But it would be nice (for me, at least) if, as a slave DNS server, the he.net nameservers would at least respond with the RRSIG records when they are present. I can see them in my zone (they transferred from my master) but aren't sent in response to queries.  So I'll need to make other arrangements for any zones that I plan to deploy DNSSEC on.

I can't complain because I'm not paying anything for this service (and thanks; I don't want to sound ungrateful). But given how progressive he.net is on IPv6 support, I'm a little surprised they aren't further along with DNSSEC.
Logged

snarked

  • Hero Member
  • *****
  • Posts: 758
Re: DNSSEC
« Reply #3 on: April 08, 2014, 01:35:52 PM »

I agree, but it's a matter of the DNS software HE uses and its lack of support until lately.

For now, it looks as if DNSSEC can be enabled for secondary-served zones (see Chapter 12.8.1 of your DNS software's manual).  Primary zones hosted at HE are much more involved.
Logged

kcochran

  • Sr. Network Engineer, Hurricane Electric
  • Administrator
  • Sr. Member
  • *****
  • Posts: 413
Re: DNSSEC
« Reply #4 on: April 08, 2014, 02:00:33 PM »

For now, it looks as if DNSSEC can be enabled for secondary-served zones (see Chapter 12.8.1 of your DNS software's manual).  Primary zones hosted at HE are much more involved.

If only that knob didn't carry a _lot_ of overhead along with it.
Logged

snarked

  • Hero Member
  • *****
  • Posts: 758
Re: DNSSEC
« Reply #5 on: April 10, 2014, 12:28:22 PM »

That I didn't look into.  I only note it's capable; not if it's a "turtle or hare."
Logged

passport123

  • Newbie
  • *
  • Posts: 32
Re: DNSSEC
« Reply #6 on: May 25, 2015, 10:49:53 AM »

There are still some hurdles keeping this from being an available item yet.

[bump]

Any idea when DNSSEC might be available?
Logged

kriteknetworks

  • Sr. Member
  • ****
  • Posts: 260
    • aRDy Music
Re: DNSSEC
« Reply #7 on: May 26, 2015, 07:27:59 AM »

I'm sure it will get announced when it is available.
Logged

passport123

  • Newbie
  • *
  • Posts: 32
Re: DNSSEC
« Reply #8 on: May 26, 2015, 09:21:33 AM »

 :)

Yes, I'm sure it will be announced when available.

The reason I asked, however, is that I was wondering whether it might be a few weeks, months or [gasp] years.  For example, if it is not going to happen this year, then I'll alter my plans.  The he.net DNS has been most excellent for me, so I would be very reluctant to move a domain to some unknown elsewhere unnecessarily.

That's all. I wasn't looking for a hard/fast date, just a ballpark ~around the end of this year~ or ~maybe late next year~ type of thing.

Logged

hstrauss

  • Newbie
  • *
  • Posts: 2
Re: DNSSEC
« Reply #9 on: July 04, 2015, 09:46:51 AM »

Since I don't think this is a necro-post (since it was already revived), I'll post here.

I've recently received correspondence from the ISC that the DLV is being sunsetted. As of (early-) 2016, zones that could validate to the Root will be removed and disabled from the DNSSEC Lookaside Validation Registry (dlv.isc.org). This means that this commonly-used alternative Trust Anchor will not validate reverse delegations held within it.

So this is just a(nother) bump to the "registrar" (if that's even valid for reverse delegations) to push for DS records by 2016, if at all possible. :)

Source: presentations linked from: https://www.isc.org/blogs/dlv/
Logged

realdreams

  • Newbie
  • *
  • Posts: 25
Re: DNSSEC
« Reply #10 on: July 13, 2015, 06:20:56 AM »

People has been asking about DNSSEC for years. Is HE concerned about the attack vectors coming with DNSSEC?
Logged

passport123

  • Newbie
  • *
  • Posts: 32
Re: DNSSEC
« Reply #11 on: July 15, 2015, 08:19:14 AM »

My guess would be that HE is concerned about attack vectors for anything and everything they do.  It's in their DNA.  You cannot do what HE does without such concern.   :)

My experience with implementing DNSSEC on one of my domains taught me that there are a lot of knobs that need tending and need to be set correctly.  For example, one major DNS hosting provider did not pass the dnsviz.net DNSSEC testing tool cleanly, although the implementation seemed to work OK. 

While I'm looking forward to HE's DNSSEC, I can understand the need for a methodical implementation and release.  In my experience, HE's DNS has been very, very reliable, and I'm sure HE does not want to change that.

Logged