Too many times over the last few weeks, you heard that the real answer to all the DNS problems is DNSSEC. I decided to give it a try, and signed the dshield.org zone. DNSSEC is not exactly used very widely, and it is very possible that we will be running into some problems. If you experience any issues, please let us know (via isc.sans.org ;-) ). For most users, this will not change anything. It only matters if your resolver or your web browser actually verifies DNSSEC signature. Expect a few changes to our dshield.org zone while I experiment.

"Experimenting" with a production setup isnt exactly ideal. But there is always isc.sans.org. On the other hand, many of the aspects of DNSSEC just can't easily be simulated in a lab.

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute