Feb 16 – 17, 2023 Workshop
Atlanta Marriott Marquis
US/Eastern timezone

Operational Experience with DNSSEC signed zones

Feb 16, 2023, 11:35 AM
Imperial Ballrom (Atlanta Marriott Marquis)

Imperial Ballrom

Atlanta Marriott Marquis

265 Peachtree Center Ave NE Atlanta GA 30303 United States
In-Person Standard Presentation Main Session OARC 40 - Day1


Shumon Huque (Salesforce)


Several years ago, we completed a large scale deployment of DNSSEC across many zones on multiple DNS providers, in-house servers, and commercial appliances. While largely successful, we faced a number of significant operational challenges too. This talk will walk through some of our noteworthy operational experiences and challenges with the deployment. It will cover topics like configuration, support for standardized vs proprietary features, zone size scaling, bugs, transport issues, debugging processes, and how problems were visible from the point of view of customers. A sizeable part of the talk will also discuss subtle DNSSEC bugs across many diverse implementations (even from quite mature DNS companies, which was quite surprising to us). It will end with some general advice and recommendations for others attempting to deploy DNSSEC on a large scale.

Primary author

Shumon Huque (Salesforce)

Presentation materials