SecSpider the DNSSEC Monitoring Project
Home | Blog | About | FAQ | Documentation | Usage | Pollers | GPG Key | IRL

The Sky is NOT Falling, but...
Sky Falling
Recently there have been some notable outages of popular DNSSEC DLV repositories: [1], [2], etc. These failures don't necessarily denote any lack of diligence on the part of the operators. Rather, these outages reinforce that operational missteps are a reality for Internet systems (any Internet system). As such, this really calls into question whether one should be building in a single point of failure into DNSSEC, such as DLV. A recent fiber cut in the Bay Area helps to underscore that any single operational group can be a victim of a determined attacker and any dependent parties can thereby share their fate.

As a result, this seems to be quite an opportune moment to restate our beliefs on the SecSpider project: trust-anchors should be locally configured and loaded into resolvers so that secure look-up decisions do not involve any in-line 3rd parties. Furthermore, we should not forget that using a DLV repository tells the DLV operators more about your DNS traffic patterns than even root operators know. However, if your ability to verify DNSKEYs fails because of an error in someone's Python script, you may be wondering if you have an alternative.

-- well --

You do... Download our ta-grab.sh script and use it to download SecSpider's trust-anchor list from a cron-job. For example: 

    0 0 * * * /usr/local/bin/ta-grab.sh
Presto, you're done... This script will download the TA file from SecSpider, check to see if it has changed from the last time, and if so, restart your unbound resolver. All you need to do is configure unbound to load the BIND-formatted trusted-keys file: 
    trusted-keys-file: "trust-anchors.conf"
and you're all set. The script is very simple and very modifiable (in case you want any changes). Furthermore, while this simple script will get you started today, you can use it to get the TA file and then make any local modifications that you like. Now, you won't be affected by anyone's outages and you can still stay abreast of TA changes!

Tue, 14 Apr 2009 13:58:25 PDT

Comments:

seri@mail.com

Sat Dec 11 00:43:54 2010

 <a href=
seri@mail.com

Sat Dec 11 00:44:41 2010

 http://appzguru.com
victorraj@nowhere

Thu Nov 17 09:19:10 2011

 I need more info <a href=”http:// www.hindustanmarkets.com”> B2B Portal India , exporters in india, importers in india, B2B Marketplace Services, manufacturer directory </a>
Give us your opinion:

User Name:

Comments:

<Current Stories>

Blog Flux Local - California Computer Security Blogs - BlogCatalog Blog Directory blogarama - the blog directory Blog Directory & Search engine Listed in LS Blogs the Blog Directory and Blog Search Engine