Compared with plain old DNS it is really easy to view DNSSEC as overwhelmingly complex. DNS is a very central concept on the internet, but like all the rest of internet it was created over a human generation ago, which translates to really very many generations in software time. Back then noone considered network security much, and DNS has many serious insecurities that are quite undesirable in such central technology.
DNSSEC is a way to add security to DNS. It has taken over 15 years to develop the protocol, through what appears to have been a twisty maze full of dead ends, but recently it is being implemented by some of the major players in the worldwide DNS community. The registry in Sweden, .SE, was an early DNSSEC promotor and I believe the first TLD to actually implement DNSSEC, already in 2005.
DNSSEC is not the only idea for securing DNS. Personally I also find DNSCurve very interesting, but DNSCurve is not as far along because it's a more recent proposal, and registries are already implementing DNSSEC, so I believe the internet may end up using DNSSEC for a while now even though it isn't really considered the be-all end-all of DNS security. In any case, it seems to be a lot better than plain DNS.
I had the opportunity to participate in an introduction to OpenDNSSEC hosted by .SE, and I think that this package fills a clear void in the DNSSEC software landscape. DNSSEC is complex, management of DNSSEC has also been complex, but OpenDNSSEC really makes DNSSEC management very easy. Release 1.0.0 has several rough edges, but basic functionality works well and it is a feature complete package. If you have a chance to go to an OpenDNSSEC training, I suggest that you go! I found it very instructional.
The 1.0 release is being packaged for some popular UNIX systems. For my favorite system Gentoo there are contributed ebuilds for SoftHSM and OpenDNSSEC which make the installation very easy. More info is being added to the OpenDNSSEC site, but dev-libs/softhsm is available in the sunrise overlay, and net-dns/opendnssec is in my overlay. If you add these to your system using layman then you just need to do:
emerge opendnssec
SoftHSM is also worth a mention. It's an open source PKCS#11 soft token, using a SQLite database as keystore. It's not protected beyond filesystem permissions, but it's nice to have an easy way to experiment with keystores not featuring some of the limits quite common with smart cards, but OpenDNSSEC can also use the OpenSC PKCS#11 as a keystore if you want to use a smart card.
Martin Paljak
Care to create a small entry on http://www.opensc-project.org/opensc/wiki/ApplicationSupport as well, with a link to this post or some information pumped to the opensc wiki?
2010-03-11 21:38