New OpenDNSSEC doesn't want you to ... ride into the danger zone
(With apologies to pop sysadmin Kenny Log-ons)
A new version of OpenDNSSEC – an open-source implementation of DNSSEC – is hoping to plug a problem it is happy to have: increased use.
Release candidate of version 1.4.9 was put out Monday for testing, with the key new feature being the ability to deal with a large number of zones – more than 50.
"Too much concurrent zone transfers causes new transfers to be held back. These excess transfers however were not properly scheduled for later," the release notes highlight.
It is a problem that the OpenDNSSEC team, which originally comprised engineers from a number of country-code top-level domains such as the UK's Nominet, Canada's CIRA, the Netherlands' NLnet Labs and Sweden's IIS but is now run solely by NLnet Labs, is happy to see.
DNSSEC enables internet infrastructure companies, including registries and ISPs, to digitally sign their zones and so make it much harder for people to spoof DNS traffic. The protocol is notoriously difficult and expensive to implement however, which has led to slower-than-hoped-for uptake.
The OpenDNSSEC team started work back in March 2009 on a system that would make it simpler and hence cheaper to implement the protocol, releasing version 1.0.0 just under a year later.
The software handles the complex process of signing a zone automatically and includes secure key management, all of which means fewer manual operations.
Why so slow?
Despite it being created to drive usage of DNSSEC, however, the fact that there is still not a version 2.0 nearly seven years later suggests the software, and the protocol, are still not in wide usage.
There have been notable criticisms of the protocol, most famously from the founder of Matasano Security, Thomas Ptacek, who claimed it was not only unnecessary and expensive but could also help the intelligence services snoop on internet traffic.
However, Ptacek's claims were vigorously disputed by other internet engineers and late last year CDN specialist CloudFlare announced it would provide DNSSEC to all its customers.
Another key change has been the requirement for new internet registries to implement DNSSEC as part of their contract with DNS overseer ICANN. More than 500 new top-level domains have been added in the past year, more than doubling the internet's namespace.
As a result, top of the list for version 2.0 of OpenDNSSEC is "performance improvements for large numbers of zones." Other planned improvements highlight issues associated with greater use and implementation of the protocol, including dynamic updates, rollovers and offline keys.
You can download [tar.gz] 1.4.9rc1 for testing now. ®