October 23, 2012 archive

How do you get started with deploying DNSSEC-validating DNS servers on your network?  What kind of planning should you undertake?  What are the steps you need to go through?

The team over at SURFnet in the Netherlands recently released an excellent whitepaper that goes into the importance of setting up DNSSEC validation, the requirements for using validation, the planning process you should use, etc.

As we note on our resource page about the whitepaper, the document then walks through the specific steps for setting up DNSSEC validation in three of the common DNS resolvers:

• BIND 9.x
• Unbound
• Microsoft Windows Server 2012

For us to get DNSSEC widely available we need to have DNS resolvers on networks performing the actual validation of DNS queries using DNSSEC.  This guide is a great way to get started.

Have you enabled DNSSEC validation on your network?

Why should you deploy DNSSEC-validating DNS resolvers on your network?  What kind of planning should you do to prepare? What steps do you need to do?

The team at SURFnet has published a whitepaper titled “Deploying DNSSEC: Validation on recursive caching name servers” (PDF) that answers these specific questions and much more.  The document covers:

• Cost and benefits of deploying DNSSEC
• DNS architecture
• Requirements before deployment
• Planning your deployment
• Operational requirements and practices

The document then gets into specific step-by-step instructions for three of the most common DNS resolvers:

• BIND 9.x
• Unbound
• Microsoft Windows Server 2012

For people looking to deploy DNSSEC-validation within their network, this guide provides an excellent way to get started.