[dns-operations] Forgery resilience idea - wildcard cooperative defense

Lutz Donnerhacke lutz at iks-jena.de
Thu Aug 7 21:14:41 UTC 2008

* Brian Dickson wrote:
> procedures and tools for the domain owner - which may be further 
> facilitated by the outsourcing of some aspects of domain maintenance to 
> a DNS hosting provider that "does" DNSSEC.

There is already a market out there.

We do offer such services: http://www.iks-jena.de/dnssec_remote.html
Sorry, it's in German language at the moment.

Basic functionality:
- Split the configuration of the primary NS to AXFR the unsigned
  version of the zone as generated and maintained in the usual way
  only to our collector.
- We sign the zone asap (or with qos) and offer it back to the
  primary NS of the customer. In the other view/setup/port/...
  it acts as a hidden primary of the signed version of the zone.
- Doing all necessary maintainance incl. registrar communication.

There are several nitpicks and corner cases ... as usual.

If you like to test it for your zone(s), please drop me an email to
dnssec at iks-jena.de.

That's ADNS: offering the signatures.

More important is the other side: RNDS, verifying the offered sigs.

In order to compare configuration options of recursive resolvers, I set up
It's German, too, but you should be able to understand the simple output.

At the moment the real interactive part (mounting an attack and looking into
the details of an recursion process) is disabled. I'll turn it on again
after the hype.

Please drop me an suggestion or problem you came across.

More information about the dns-operations mailing list