[dns-operations] How much trouble am in in on May 5?

Mark Andrews marka at isc.org
Tue May 4 02:53:46 UTC 2010


In message <973381.83997.qm at web114620.mail.gq1.yahoo.com>, Calvin Richards writ
es:
> About
> 4pm today I was told the guy who is supposed to setup DNSSEC before he left t
> he
> company did not do it before he left.   So I've been tasked with making
> sure the internet does not break on Wednesday.  Other than of knowing that Ma
> y 5th is coming I've not really dug deep into this until this afternoon since
>  this was supposed to be taken care of by someone else.
> 
> I am not worried that much about our caching servers being able to do
> lookups.  I am worried about is the servers that are acting as authorative
> name servers for about 40 domains we have.   They are running Windows
> 2003 and from what I am reading Windows 2003 is capable of looking up dnssec
> zones but not capable of signing the zones.  We use two 2003 servers to serve
>  zones we hast and two 2003 servers for users to surf on.
> 
> 
> I've been missing out on the
> Google lottery when I search for what happens if you are not signing zones on
>  May
> 5th.  I would rather do this right and not rush into something without spendi
> ng a few days testing and reading if I don't have to.

Nothing special happens.  Your zones will be treated as insecure
until you take steps to sign them.

When you have signed your zones you need update your delegations
to "secure delegations" by providing DS records to the parent zones
for your zones.  This provides a cryptographic linkage between the
two zones.  Until you do this resolvers will just treat your zone
as being insecure.

> Cal
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org



More information about the dns-operations mailing list