[as112-ops] DNSSEC?
William F. Maton
wmaton at ottix.net
Wed Jan 13 00:30:51 UTC 2010
On Fri, 8 Jan 2010, Marco Davids wrote:
> Op 8-1-2010 10:30, schreef Shane Kerr:
>
>>> I was wondering: are there any plans to deploy DNSSEC on the AS112
>>> served zones in the future, including 'hostname.as112.net' itself?
>
>>> (would it have added value to do so?)
>
>> Seriously though, I don't see much added value
>
> My reason for asking was: appearantly quite a number of DNS-queries end
> up on the AS112 nameservers, resulting in a reply. Could a bad person
> take advantage of that, by returning spoofed answers to those queries?
> If such an 'attack' is conceivable, than it might make sense to sign the
> AS112 zones as well.
Joe and I had shared some notes privately (two years ago I think?)
regarding DNSSEC and AS112 (besides IPv6 anycast) and concluded IIRC that
it didn't make sense. Now granted a lot of water has passed under the
bridge so maybe it's time to revisit that. There's a point to be made
about being SOA for those zones (and may be others, who know?) and using
DNSSEC. On the other hand, it is junk traffic. One could say who cares
about it's validation, others say it may be junk, but there's still
authority.
Is there something to be specifically solved by deploying DNSSEC for AS112?
(just asking to entice some discussion here by the AS112 operators)
wfms
More information about the as112-ops
mailing list