RFC4033 introduced DNSSEC back in 2005. There are now many recursive
resolver implementations which have evolved over the past 15 years,
but implemeneting something from scratch can be a dangerous path.
Are our RFCs clear? Are all of the "understood" pitfalls clear?
This talk looks at OpenDNS/Cisco's path to DNSSEC support in their
recursive resolver. It goes from understanding the protocol to
coming up with a development and deploy strategy. Preparing the
existing DNSSEC-unaware codebase was a difficult step, as was
arranging our task board so that we could parallelize development.
The implications of NSEC and NSEC3 were unexpected and the effect
of wildcard records on validation behaviour was a surprise. There
were even several points were RFCs were simply mis-read, causing
turmoil way down the road (repeat something often enough and we all
believe it's the truth!). Finally, executing on our deployment
strategy didn't play out as expected.
Maybe our path is unsurprising, but it's a story worth telling!
Developing & deploying DNSSEC in a production environment with an emphasis on operational issues
|Talk Duration||No longer available: 30 Minutes|