Welcome to the SecAware blog

I spy with my beady eye ...

15 Apr 2010

DNSsec pros and cons

A somewhat self-contradictory piece in The Register regarding DNSsec was pointed out to me by a fellow CISSP. The way the Internet root DNS servers work is going to change soon - essentially after May 5th, they will only respond to DNS queries that have been digitally signed using the DNSsec protocol. Until then, I believe DNSsec is running on some of the root servers, allowing organizations to try out their software and get any wrinkles sorted out.

Kevin Murphy, the Register's columnist, indicates that some ISPs or large organizations running old software without the facility for DNSsec may thereafter be unable to make DNS queries, which mnay be true but seems rather unlikely to be such a problem as he implies. As I understand it, DNSsec has been around for years, implying that ISPs etc. who have not updated their software probably have other more serious security problems. On top of that, end users (like me!) are not tied to their ISP's DNS offerings. Personally, I have used both OpenDNS and the faster Google DNS successfully for years, particularly as my ISP's DNS had trouble resolving the very useful SANS Internet Storm Center address for some obscure reason.

Anyway, your ISP and/or your IT Department should be well on top of this by now, but for the sake of availability, it might be worth double-checking.

No comments:

Post a Comment