So last week, on my day off (personal day), I got an email from the Senior Developer. He was asking if we'd be ready for the DNSSEC roll out today. I didn't know.
Came in Monday:
Tested our systems using the directions found on the dns-oarc.net page. It came back saying "X.X.X.X lacks EDNS, defaults to 512"
Call to Cisco. Stayed late working with Cisco TAC Security Engineer to put the work around in for CSCta35563.
Test still failed.
Spent more time testing from both in front and behind the firewall. Found that some of the servers I was using for testing would work, some wouldn't. From both sides of the firewall.
Go back to my office. Start reading up on it. Some sites saying I'd have to upgrade the ios on the firewall to 8.2(2) or newer. Some saying the problem was the DNS server for our internal network not supporting it. Windows 2003.
Came across a test page from RIPE, that said if DNSSEC isn't supported by the resolver don't worry. (We're not using DNSSEC with our 2003 servers as far as I can tell, but I'm not a windows expert).
Built 2 Bind9 based linux servers to handle dns for us, if things break. Has taken most of the morning.
It's after 1pm now, the time that DNSSEC was supposed to roll out, and so far so good. We're not seeing problems yet. People are not screaming yet. the 2 servers are sitting here ready to roll (mostly).
Now it's just a wait and see. Going to wait 24 hours to see what happens.