I’ve got time to answer a few more questions before I race off to the airport:
What would you consider the best “starter” guide to DNSSEC?Well, I’m biased, but I think DNS and BIND is very good. I also think that Scott’s guide, NIST SP 800-81, is indispensable (and free!). For links to other DNSSEC resources, see www.dnssec.net.
How does a wildcard DNS entry affect the Kaminsky vulnerability?Not at all, really. It doesn’t particularly matter what the data looks like on the real authoritative name servers: The hacker is poisoning the cache with bogus data by getting his response accepted before the authoritative name server has the chance to respond.
Do you see a point in the near-to-mid-term future in which IPv6 will be forced on the user community?Sure, for a purely practical reason: Because we’ll run out of IPv4 address space. That’ll happen in the next few years, and then the cool, new services brought to market by clever individuals and startups will run over IPv6. And then you’ll want to use IPv6.
To reduce the overhead of signing zone data files, can we have a temporary file that contains only the record that we want to modify, then sign it? After the new record is signed, we take the RRSIG and any related info and put it into the already-signed zone, then bump the serial number. Can it be done that way?Unfortunately, no, because if the change adds a new domain name to the zone, or a new record type to an existing domain name, the NSEC (or NSEC3) records in the zone will need to change, too.
How old is the latest version of DNSSEC?RFCs 4033, 4034 and 4035 are dated March 2005.
What effect does DNSSEC have on existing SSL/encryption during transfer?None. DNSSEC is only used during name resolution, which happens before an SSL or TLS connection is set up. Once the connection’s set up, DNSSEC doesn’t come into play.
Thanks again for attending! I’ll answer more questions as soon as I can, and we’ll get the presentation uploaded soon, too.
