[dns-operations] How much trouble am in in on May 5?
bmanning at vacation.karoshi.com
bmanning at vacation.karoshi.com
Wed May 5 09:42:51 UTC 2010
On Mon, May 03, 2010 at 10:30:29PM -0700, David Ulevitch wrote:
> On May 3, 2010, at 7:53 PM, Mark Andrews <marka at isc.org> wrote:
>
> > Until you do this resolvers will just treat your zone
> >as being insecure.
>
> Time will tell if using DNSSEC makes your zone more secure. We don't
> know the answer to that one yet. We know the current DNS security
> model is weak.
>
> For the vast majority of Internet users, May 5th is a day signifying
> nothing. For DNSSEC enabled users, it's a day that marks the removal
> of one of the few remaining hurdles on the road towards having a means
> of validating and verifying DNS responses.
its worse than that... hes dead Jim.
the concern is that DNS messages from the root
will exceed the original DNS spec size. e.g.
the messages will be about 800 bytes instead of just less
than 512 bytes.
concerns about PMTU, Fragmentation, EDNS0, and TCP support
all emerge from the existance of larger DNS messages.
that being said, 05may is a first step - the event will
flush out any nodes priming from the root that have path issues.
the second, more subtle event is the cache timeout interval
on the unsigned data - when the IMRs will refresh and find
signed data. this will be ongoing for the next couple weeks.
--bill
More information about the dns-operations
mailing list