Last year, I started signing the DNS records for this domain (and ISOC.lu). At the time, it was what is called an ‘island of trust’ in DNSSEC-speak. Being a firm believer that one should eat his own dogfood, I took this now one step further. Both domains vande-walle.eu and ISOC.lu are now added to ISC’s DLV registry. In addition, they are also in UCLA’s Secspider DLV repository. DLV stands for Domain Lookaside Validation, it “is a mechanism for publishing DNS Security (DNSSEC) trust anchors outside of the DNS delegation chain”, according to RFC 5074.
There are a few lessons to be learned from this experience. First and foremost, the tools are now not yet ready for a general audience. If the dnssec-signzone man page is your favourite late night reading and if you like Unix shell scripting, you will have plenty of fun. On the other hand, if you are an overworked system administrator being told by the boss to ‘By the way, please switch on DNSSEC before your leave this afternoon’ , you are out of luck. The best tool I found to make it a bit easier is ZKT. However, this is not the friendly Graphical User Interface you would expect.
Lesson 2 is ‘check you secondaries’. I had secondaries with Xname.org. Although these nice folks provide good and free DNS service, their machines do not answer DNSSEC queries. Hence, I had to switch to new secondaries.
Lesson 3 is that few DNS resolvers currently support DLV. Bind does. Unbound will in the next release (the current development code already does).
Lesson 4 is that the current system to register a domain in the DLV does not seem to scale and looks more like a proof of concept. It would need to be seriously industrialized to be helpful for a bigger deployment.
Lesson 5 stems from 4 above. The whole thing would be a bit easier to deploy if the root zone was signed. But this is another debate.
Many thanks to the folks at NLNet Labs and the RESTENA Foundation for providing DNS secondary service, and ISC for running the DLV registry.
Recent Comments