[dns-operations] Entering DNSSEC waters
Doug Barton
dougb at dougbarton.us
Fri Jan 23 00:18:10 UTC 2015
On 1/22/15 11:21 AM, Stephen Johnson (DIS) wrote:
> I'm about to put my toes into the DNSS waters before something forces be
> to dive in head first. I've been researching and doing to tentative
> planning as to how to implement DNSSEC for our DNS zones.
>
> I've got a good handle on how we'll doing out key handling and keys
> rotations (from RFC6781). What I'm currently lacking is a roll out and
> testing plan for the live zones. I've read about the DNSSEC roll outs
> that have been discussed on the list.
>
> What I'm asking for is advice and possibly copies of roll out and
> testing planes other have used. From those I'll cobble together a roll
> plan for our zones.
How wet are your toes? :)
If you haven't already, start with validation. It's easy to enable, and
you can do it with next to no impact on your existing stuff (assuming
you have some overhead built into your existing resolver infrastructure.
Rollout and testing are the same as they would be for any other major
DNS change. Do you have internal-only zones? Create a new one just for
testing, and put your new validators through their paces. (You'll need
trust anchors configured for those internal zones on your validating
resolvers.) Then maybe go on to some other, mission critical zones.
Then move on to a few inconsequential external zones (e.g., zones you
have parked for trademark protection purposes). You can test them from
the inside with your validating resolvers, and then you'll want to
confirm from the outside as well. (Google's public DNS is validating, FYI.)
Once you're feet are thoroughly soaked, you can move on to your
mission-critical external stuff, and then you're done.
You might want to publish your plans for key sizes, types, rollover,
etc. here for review.
Also, there is a good book you might want to check out:
https://www.michaelwlucas.com/nonfiction/dnssec-mastery
I was involved in reviewing the book, but I don't receive any
compensation for it, in case that matters to you.
Good luck,
Doug
More information about the dns-operations
mailing list