This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/dns-wg@ripe.net/
[dns-wg] Framework for DNSSEC audits
- Previous message (by thread): [dns-wg] Framework for DNSSEC audits
- Next message (by thread): [dns-wg] Framework for DNSSEC audits
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Anne-Marie Eklund-Löwinder
anne-marie.eklund-lowinder at iis.se
Tue Jan 7 09:00:54 CET 2014
> -----Ursprungligt meddelande----- > Från: dns-wg-bounces at ripe.net [mailto:dns-wg-bounces at ripe.net] För Ralf > Weber > Skickat: den 6 januari 2014 17:19 > Till: Matthijs Mekking > Kopia: dns-wg at ripe.net > Ämne: Re: [dns-wg] Framework for DNSSEC audits > > Moin! > > On 06 Jan 2014, at 12:33, Matthijs Mekking <matthijs at NLnetLabs.nl> wrote: > > > This might be of interest to you. In collaboration with SWITCH, we > > have developed a DNSSEC audit framework: > > > > > > http://www.nlnetlabs.nl/downloads/publications/dns-audit-framework-1.0 > > .pdf > > > > The scope of the framework is largely based on the documents RFC 2870, > > RFC 6841, RFC 6781 and the Secure Domain Name System (DNS) Deployment > > Guide from NIST. > > > > Having this publicly available we believe it will improve the > > deployment of DNSSEC. > I admire your efforts and the document is well written from my quick > glancing over it. But we IMHO need a big boilerplate upfront that this is > not needed for deploying DNSSEC. The document might be good for TLD and > registries/registrars with huge security requirements. But if we want to > get widespread deployment we need to get further down the tree and wider. > And my fear is that such a document can cause people to delay or not do > DNSSEC deployments as the requirements (based on this document) are huge > (none of my currently signed domains would pass an audit). > > I will add it to my reading list for a more detailed review. I've read the document carefully, and from my perspective, this is exactly what you need to make sure that a specific dnssec implementation put up to the requirements that are addressed, no matter the kind of organization. The audit framework must be able to cover all kinds of implementations, from registry and registrar down to a smaller entity. But doing an audit gives you the freedom to express when a requirement is applicable or not, imho that is. Kind regards, Anne-Marie Eklund Löwinder Chief Information Security Officer .SE -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 182 bytes Desc: not available URL: </ripe/mail/archives/dns-wg/attachments/20140107/eea81e52/attachment.sig>
- Previous message (by thread): [dns-wg] Framework for DNSSEC audits
- Next message (by thread): [dns-wg] Framework for DNSSEC audits
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ dns-wg Archives ]