Myth-Busting and Demystifying DNSSEC

eco and the CSA will be strongly represented at this month’s M3AAWG Meeting in Canada, with Julia Janssen-Holldiek and Florian Mielke from the CSA attending, and Patrick Koetter, Leader of the eco Competence Groups Email and Anti-Abuse presenting. We spoke to Patrick about what he’ll be talking about.


Patrick, what is the topic you’re going to be dealing with at M3AAWG this year?

The topic we’re going to be dealing with – which, by the way, I’m not going to do all by myself, but with Carsten Strotmann from our company – is DNSSEC. I want to demystify a few DNSSEC myths that keep people from implementing and using it. That’s one thing. The other thing is we actually want to give them a little hands-on training. We’ve been able to get a two hour slot, which I was told is pretty unusual for a M3AAWG because usually they only give away 45 or 50 minutes.

So we have a two-hour slot and anybody who’s going to attend will be in for a two-hour training, hands on. They will get two virtual machines and we’re going to set up a BIND 9 nameserver, which will be authoritative for a test domain. We’re going to enable DNSSEC on this server so that people can get an understanding of what’s happening in there, and then understand how the administration process works and how you can verify things like that.

We’re doing this so that they feel more comfortable with what they’re doing, because most DNS administrators we talk to say they don’t like to deal with DNSSEC because they don’t know how to deal with it. And that’s one of the problems – we need to enable them to do that.


Get hands on experience.

Exactly. They’ll get hands on experience, which is going to be quite hard – it’s a tough schedule time-wise. We’ve pre-installed everything so they’ll only need to do with the configuration, and we need to explain things.

At the very end, when we have a DNSSEC enabled infrastructure, they will understand – and that’s actually the hook that we have in there – the Iran attack which became public during spring. So we will go along with the Iran attack and we’ll explain what happened during the attack and how this could have been prevented if people had been using DNSSEC or DNSSEC validation. So it’s also going to be a lecture on DNSSEC architecture – with the critical points where you need to make sure you have the right resolvers in place and things like that.

At the very end, in probably the last five or 10 minutes – which is very funny because people always say that DANE is so complicated – we’re going to completely DANE-enable the platform, and then they will be able to have DANE-secure mail transport. DANE actually is the simplest thing to do. The DNSSEC part is the hard one, which is going to take most of the time during the two hours.


So what are the DNSSEC myths you want to bust at M3AAWG?

  1. We are going to go black once we enable DNSSEC validation because there are so many broken DNSSEC authoritative servers out there that we won’t be able to reach our domains.”

That’s a big myth. It’s a belief that’s really hard to get out of people’s mind. I talked already about it at the M3AAWG in Budapest, which was a starting point for having this training session.

  1. And the other great myth is that operational handling of DNSSEC is complicated – it isn’t.
  2. The third thing is that people keep complaining that DNSSEC makes DNS critical. They say: “But once you have DNSSEC, DNS becomes critical”.

As if it’s never been critical before! Turn traditional DNS off now, and wait for two seconds to see what happens!

DNS has been critical all the time. It’s the second most important core protocol on the Internet. Probably what they have in their mindset is that they don’t know what they have to look out for when they deploy DNSSEC, and what they have to monitor. So that’s a few aspects that we’re going to deal with.


Patrick, thanks for your time.


Improving Security of Communications – DANE & DNSSEC on stage at M3AAWG 1