[dns-operations] Forgery resilience idea - wildcard cooperative defense
Lutz Donnerhacke
lutz at iks-jena.de
Thu Aug 7 21:14:41 UTC 2008
* Brian Dickson wrote:
> procedures and tools for the domain owner - which may be further
> facilitated by the outsourcing of some aspects of domain maintenance to
> a DNS hosting provider that "does" DNSSEC.
There is already a market out there.
We do offer such services: http://www.iks-jena.de/dnssec_remote.html
Sorry, it's in German language at the moment.
Basic functionality:
- Split the configuration of the primary NS to AXFR the unsigned
version of the zone as generated and maintained in the usual way
only to our collector.
- We sign the zone asap (or with qos) and offer it back to the
primary NS of the customer. In the other view/setup/port/...
it acts as a hidden primary of the signed version of the zone.
- Doing all necessary maintainance incl. registrar communication.
There are several nitpicks and corner cases ... as usual.
If you like to test it for your zone(s), please drop me an email to
dnssec at iks-jena.de.
That's ADNS: offering the signatures.
More important is the other side: RNDS, verifying the offered sigs.
In order to compare configuration options of recursive resolvers, I set up
http://www.iks-jena.de/cgi-bin/dnssec_how_dns_works.pl
It's German, too, but you should be able to understand the simple output.
At the moment the real interactive part (mounting an attack and looking into
the details of an recursion process) is disabled. I'll turn it on again
after the hype.
Please drop me an suggestion or problem you came across.
More information about the dns-operations
mailing list