Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: dshield.org now DNSSEC signed via .org SANS ISC InfoSec Forums

Special Webcast: What you need to know about the crypt32.dll vulnerability. Register Now

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
dshield.org now DNSSEC signed via .org

To coincide with today's webcast about DNSSEC [1], I changed how the dshield.org zone is DNSSEC signed. The zone itself has been signed for a while now, but I used "look aside validation" via isc.org . For a few months now, it has been possible to have .org zones directly signed by .org, and I decided to give it a try. Please let me know if you see any issues. If you plan to deploy DNSSEC yourself, see Verisign's [3] nice testing tool as well as the visualization tool by DNSVIZ [4].

[1] https://www.sans.org/webcasts/isc-threat-update-20110413-94083
[2] http://dlv.isc.org
[3] http://dnssec-debugger.verisignlabs.com
[4] http://dnsviz.net/d/dshield.org/dnssec/

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

I will be teaching next: Defending Web Applications Security Essentials - SANS San Francisco Spring 2020

Johannes

3733 Posts
ISC Handler
Hello,

interesting and I view this as positive.
However, is there a specific (security related ?) reason for having multiple (3 at this moment) orphaned DS records for dshield.org. in the org. zone ?
ksk keyid "10590" missing from domain
ksk keyid "52013" missing from domain
ksk keyid "62013" missing from domain

Kind regards,

Marc Lampo
EURid vzw/asbl
Security Officer
Anonymous

Sign Up for Free or Log In to start participating in the conversation!