View Single Post
  #6   (View Single Post)  
Old 30th January 2010
Knobee Knobee is offline
Real Name: Alan Clegg
New User
 
Join Date: Jan 2010
Location: Apex, NC, USA
Posts: 9
Default

Quote:
Originally Posted by J65nko View Post
According to wikipedia.org DNSSEC has not been been implemented completely yet.
I'm not sure what this means, nor do I find it on that Wikipedia page. BIND is (and has been for several years) completely DNSSEC compliant. The "standard" (as with all things Internet) has changed significantly over the years -- nothing like a "work in progress for 10 years", but I think that it's pretty well covered at this point.

If by "implemented", you mean "the root has not been signed yet" or "not everyone is using DNSSEC", I'm forced to agree.

The root, as-of last week, has signatures (dns-oarc.net slash node slash 240) that, while not able to be used for validation, are able to be used to test traffic patterns with the "larger" packet sizes required by the added signatures.

.gov has been signed for nearly a year. .se has been signed for nearly 5 years. I've been running a signed zone in .org for several months.

It's implemented. It works. It's NOT the answer to phishing attempts, but it does provide a good method of proving validity of DNS traffic end-to-end. (now those SSHFP resource records in my zones are actually worth using!)

Knobee
Reply With Quote