2

A disaster recovery plan has been proposed in a client's company that would fail back from DNSSec to regular DNS in the event of

1) A major site outage requiring the change of many DNS records

2) An issue with DNSSec that justifies a failback

3) An issue with our Tier 1 DNSSec provider

Is there any foreseeable issues when failing back a functional DNSSec implementation to "regular" DNS?

makerofthings7
  • 8,821
  • 28
  • 115
  • 196
  • 1) Does failing back to DNS from DNSSEC in your plans include removal of DS records for your domain from the parent domain? 2) Do child domains of your domain rely on it to be signed? – nearora Jun 06 '12 at 01:05
  • I'm new to DNSSec so any logical checks would be helpful. Thank you @nearora – makerofthings7 Jun 06 '12 at 01:13
  • One of the places I worked we did an evaluation of DNSSEC. It took a team of six approximately three months to figure out most questions and work out answers. We didn't get around to doing an implementation beyond a limited test environment. My recollection is that we predicted it would take a good six months to do all the tests that we wanted to do before making final recommendations. It's neither easy, nor small and has far reaching implications depending on how critical DNS infrastructure is to your business. – nearora Jun 06 '12 at 01:26
  • I'd really be interested in learning from your questions, answers, and lessons learned. Do you have a blog, Word doc, or anything I could build upon and share back with you? – makerofthings7 Jun 06 '12 at 01:30
  • I just tried to find out and there isn't a public version available. If you check with RIPE NCC, Nominet, IIS.se and others that have implemented DNSSEC, you'll be able to get your hands on documents such as www.ficora.fi/attachments/5uBFz9cFs/DNSSec_in_Sweden.pdf and http://www.docstoc.com/docs/110603422/RIPE-NCCs-DNSSEC-Deployment to start you off. – nearora Jun 06 '12 at 01:35
  • What is that about removing DNSSEC because of change in many DNS records ?! Unless your security police requires to calculate signatures on abacus... – Sandman4 Jun 06 '12 at 17:53

1 Answers1

1

The main issue with unsigning your zone is that DS records should be removed from parent zone well in advance before you unsign your zone - you should wait for those records to expire from caches before you remove your DNSKEYs and RRSIGs. If some cache for some reason keeps DS records, he will refuse to use your unsigned zone at all.

Additionally, if you (i.e. resolvers which query your zone) use DLV, your zone should be removed from DLV too. Today nobody supposed to use DLV. IMHO.

It is about the same in the "regular" DNS - when you want to change a nameservers, you remove old nameservers only after NS TTL to expires.

The biggest problem with DNSSEC is that people think that it's something extremely complex. IMHO. DNSSEC is no more complicated than DNS and SSL, and everybody uses the two, not even knowing that they are complicated.

Sandman4
  • 4,045
  • 2
  • 20
  • 27
  • 1
    +1 for the last line. Besides which, in a DR circumstance you risk goes up. There are plenty of opportunists to disasters, starting with fake charities. I can imagine this as a greater opportunity for malicious acts. – Jeff Ferland Jun 06 '12 at 17:59