Speaker
Description
Several years ago, we completed a large scale deployment of DNSSEC across many zones on multiple DNS providers, in-house servers, and commercial appliances. While largely successful, we faced a number of significant operational challenges too. This talk will walk through some of our noteworthy operational experiences and challenges with the deployment. It will cover topics like configuration, support for standardized vs proprietary features, zone size scaling, bugs, transport issues, debugging processes, and how problems were visible from the point of view of customers. A sizeable part of the talk will also discuss subtle DNSSEC bugs across many diverse implementations (even from quite mature DNS companies, which was quite surprising to us). It will end with some general advice and recommendations for others attempting to deploy DNSSEC on a large scale.
