[dns-operations] summary of recent vulnerabilities in DNS security.

Paul Vixie paul at redbarn.org
Tue Oct 22 20:28:15 UTC 2013


Jared Mauch wrote:
> ...
>
> Edit a zone file vs "edit, run a script, upload some keys, roll some keys, do some other magic" is harder than edit a zone file.

BIND9 V9.9 may surprise you. it has inline signing and automatic key
management. the code name for this feature set was "DNSSEC For Humans"
and was largely driven by joao damas. the only "other magic" that BIND9
can't help you with is telling your registrar about new KSK DS's, since
there's no standard API for a primary name server to use for
communication with the delegation server. in all other ways, BIND9 makes
DNSSEC as easy as "edit a zone file". try it and report back, don't take
my word for it.

note, i'm not with ISC any more, but i see no reason not to stop singing
their praises.

vixie



More information about the dns-operations mailing list