[dns-operations] Some DNSSEC trivia

Edward Lewis Ed.Lewis at neustar.biz
Thu Jan 3 16:51:59 UTC 2008 

At 11:13 +1100 1/3/08, Mark Andrews wrote:

>	All it requires is the will to let it happen.

Yes, there's no will, no widespread "gotta have it even though I 
don't know how it works" will.

But DNSSEC is neither a waste nor a broken technology.  The lack of 
will to deploy is because the world has changed, not DNSSEC's 
inherent nature.

When DNSSEC was first developed it proposed to add a great deal of 
security to DNS.  During the time (years) needed to scope, define, 
refine, and try to deploy DNSSEC, "plain" DNS was simultaneously 
upgraded in many ways including security.  Plus the environment in 
which DNS is operated has changed.  What's happened over time is that 
the incremental value of what DNSSEC added has shrunk because DNS has 
risen to cover part of the increment and "the requirements hav 
changed."

DNSSEC has already paid off in securing the DNS.  The payoff is 
embodied in BIND 9 and spin offs from that.  The payoff is also 
embodied in documents clarifying and updating the original 
specification.

BIND 9 is directly a product of the DNSSEC effort.  BIND 8 and older 
versions in retrospect were hacks good enough to get the DNS job done 
but not good enough to be secure and extensible.  BIND 9 was funded 
to be a basis for DNSSEC and along the way represented a new 
engineering of the entire code base.

While BIND 9 is not the reference implementation, other 
implementations have been re-fitted or built to meet the way it 
works.  I know of one other DNS implementation that had to 
re-architect for DNSSEC and in the process cleaned up corner cases it 
didn't have right.  And many of the BIND 9 implementation team went 
on to build commercial DNS products.  Neither of those two cases are 
NSD.

DNSSEC has brought more rigor to the specifications for DNS.  If it 
weren't for DNSSEC, the IETF's DNSEXT WG would have folded a long 
time ago without revisiting wild cards, DNAME, EDNS0, IANA 
Instructions, etc.

DNSSEC has already been a success.  I don't think the lack of will is 
a bad thing or a sign of failure.  But until there's a will, what can 
be done besides advertising and marketing?

-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis                                                +1-571-434-5468
NeuStar

Think glocally.  Act confused.

More information about the dns-operations mailing list