DNSSEC at Tilburg University

Written by Roland van Rijswijk in category: Users

This is the English translation of a blog posting by Casper Gielen on the SURFnet innovation blog Tilburg University activates DNSSEC Tilburg University (TiU) completed the introduction of DNSSEC in August, making it the first university in The Netherlands to use DNSSEC on a large scale. In February 2011, we began validating incoming DNSSEC information […]

No Comments

Tools used for DNSSEC research

Written by Roland van Rijswijk in category: General, Technical, Users

During the course of the past year Gijs van den Broek has performed research on DNSSEC and UDP fragmentation for his M.Sc. thesis. His work is now finished and the tools he used to perform his research have been made available so others may reproduce his research or extend it. Read more about where to […]

No Comments

Live graphing the validation rate

Written by Roland van Rijswijk in category: Users

Last Wednesday I spent some time tweaking the Cacti plugin for Unbound and managed to incorporate a live graph of the validation rate. It will be interesting to monitor the progression of this graph over the coming months and I will try to post and update every now and again. To give something away, here […]

No Comments

Puzzle of the week, win a pie :-)

Written by Roland van Rijswijk in category: General, Users

I’ve created a new validation rate graph based on the statistics gathered on our resolvers. The data is up-to-date until week 43 (this week). The graph shows an interesting trend: In the graph you can see three lines representing three different resolver locations spread out across The Netherlands. What is interesting is that the validation […]

2 Comments

Considerations about Time To Live

Written by Rick van Rein in category: Architecture, Timing, Users

OpenDNSSEC is much more dependent on proper timing than plain DNS, mainly because of the regular rollover of keys. Because of this, a lot of care must go into the design of timing, and especially the TTL parts of DNS records.

No Comments

Actor responsibilities towards DNSSEC

Written by Rick van Rein in category: Procedures, Security, Technical, Users

We are working towards a DNS signing system with various roles at a number of levels. At each of these levels we assign responsibilities, many of which will not be new to the people involved. We are not primarily worried about people with bad intentions (wihtin our organisation), so we do not split roles as […]

No Comments

User study results

Written by Roland van Rijswijk in category: General, Users

One of the goals of our project was to perform a user study among our constituency (higher education, academia and research) to find out what the interest in DNSSEC is in our community. We finished this study in August and have just published the results which are quite interesting, quite a number of respondents to […]

No Comments

HOWTO turn BIND into a Validating Resolver

Written by Rick van Rein in category: Procedures, Security, Technical, Users

This instruction explains how to setup DNSSEC validation with the BIND resolver for DNS. A companion article on Unbound also exists. Note that Unbound has been written for security from the ground up, and carries less history than BIND. Install. We used BIND 9.7.1-P2 on Debian Linux. Variations should work; there even is a prebuilt […]

2 Comments

HOWTO turn Unbound into a Validating Resolver

Written by Rick van Rein in category: Procedures, Security, Technical, Users

This instruction explains how to setup DNSSEC validation with the Unbound resolver for DNS. A companion article on BIND also exists. Note that Unbound has been written for security from the ground up, and carries less history than BIND. Install. We used Unbound 1.4.5 on Debian Linux. Variations should work; there is even a prebuilt […]

2 Comments

Picking the fruits of using DNSSEC

Written by Rick van Rein in category: Crypto, Security, Technical, Users

DNSSEC introduces a signature hierarchy on grounds of domain ownership. This means that first-contact situations can be validated under domains; powerful examples are SSH fingerprints, X.509 and OpenPGP certificates, and contact information, all of which can be specified in dedicated DNS records.

1 Comments