"DNS Security Extensions (DNSSEC) is a critical part of the BIND 9.x server, though DNSSEC itself is not yet widely deployed. DNSSEC offers a mechanism for digitally signing a domain name to ensure its authenticity. The technology has been widely hailed as the ultimate solution to the Kaminsky DNS flaw.
However, among the major top-level domains, currently only .org is now signed for DNSSEC. In BIND 10, a key goal is to make it easier for DNS administrators to actually manage DNSSEC. Kerr said it'll do that by improving usability.
"There is a lot of missing functionality for DNSSEC, such as full automation of DNSSEC," he said.
Kerr explained that with BIND 10, it may be as simple as clicking the "sign this zone" button on the administration interface to implement DNSSEC.
It will also provide handholding to admins in other ways.
"BIND 10 might warn administrators when signatures are soon to expire, or indeed have expired," Kerr said.
Release date?
In terms of timing for the actual BIND 10 release, Kerr said that the first deliverable is an authoritative-only server, which is scheduled to be delivered a year from now. "We expect the total development to take five years, at which point the software will enter maintenance as a relatively mature product," Kerr said.
The challenges in building the new BIND 10 server are as much about the new technology as it is in keep existing BIND 9 users happy.
"BIND 9 is the most successful piece of DNS software ever written," Kerr said. "ISC needs to insure that BIND 9 users are happy until BIND 10 is ready to replace it. This means there is a tension between improving the 'old' product and working on the 'new' one."
"One of the goals of BIND 10 is that it will be a 100 percent drop-in replacement for BIND 9, but there is always resistance to change in the computer world," he added.
Source: Sean Michael Kerner, Retrieved on June 11, 2009 from internetnews.com/infra/article.php/3824651/BIND%2010%20Set%20to%20Update%20DNS.htm
No comments:
Post a Comment