Feb 8 – 9, 2020
Hyatt Regency San Francisco
America/Los_Angeles timezone

DNSSEC Recursive Resolution From the Ground Up

Feb 8, 2020, 9:15 AM
Bayview Room (Hyatt Regency San Francisco)

Bayview Room

Hyatt Regency San Francisco

5 Embarcadero Center San Francisco CA 94111 United States
No longer available: Standard Presentation Public Workshop


Brian Somers (OpenDNS, FreeBSD)


RFC4033 introduced DNSSEC back in 2005. There are now many recursive
resolver implementations which have evolved over the past 15 years,
but implemeneting something from scratch can be a dangerous path.
Are our RFCs clear? Are all of the "understood" pitfalls clear?

This talk looks at OpenDNS/Cisco's path to DNSSEC support in their
recursive resolver. It goes from understanding the protocol to
coming up with a development and deploy strategy. Preparing the
existing DNSSEC-unaware codebase was a difficult step, as was
arranging our task board so that we could parallelize development.
The implications of NSEC and NSEC3 were unexpected and the effect
of wildcard records on validation behaviour was a surprise. There
were even several points were RFCs were simply mis-read, causing
turmoil way down the road (repeat something often enough and we all
believe it's the truth!). Finally, executing on our deployment
strategy didn't play out as expected.

Maybe our path is unsurprising, but it's a story worth telling!


Developing & deploying DNSSEC in a production environment with an emphasis on operational issues

Talk Duration No longer available: 30 Minutes

Primary author

Brian Somers (OpenDNS, FreeBSD)

Presentation materials