[dns-operations] Some DNSSEC trivia
Ed.Lewis at neustar.biz
Thu Jan 3 16:51:59 UTC 2008
At 11:13 +1100 1/3/08, Mark Andrews wrote:
> All it requires is the will to let it happen.
Yes, there's no will, no widespread "gotta have it even though I
don't know how it works" will.
But DNSSEC is neither a waste nor a broken technology. The lack of
will to deploy is because the world has changed, not DNSSEC's
When DNSSEC was first developed it proposed to add a great deal of
security to DNS. During the time (years) needed to scope, define,
refine, and try to deploy DNSSEC, "plain" DNS was simultaneously
upgraded in many ways including security. Plus the environment in
which DNS is operated has changed. What's happened over time is that
the incremental value of what DNSSEC added has shrunk because DNS has
risen to cover part of the increment and "the requirements hav
DNSSEC has already paid off in securing the DNS. The payoff is
embodied in BIND 9 and spin offs from that. The payoff is also
embodied in documents clarifying and updating the original
BIND 9 is directly a product of the DNSSEC effort. BIND 8 and older
versions in retrospect were hacks good enough to get the DNS job done
but not good enough to be secure and extensible. BIND 9 was funded
to be a basis for DNSSEC and along the way represented a new
engineering of the entire code base.
While BIND 9 is not the reference implementation, other
implementations have been re-fitted or built to meet the way it
works. I know of one other DNS implementation that had to
re-architect for DNSSEC and in the process cleaned up corner cases it
didn't have right. And many of the BIND 9 implementation team went
on to build commercial DNS products. Neither of those two cases are
DNSSEC has brought more rigor to the specifications for DNS. If it
weren't for DNSSEC, the IETF's DNSEXT WG would have folded a long
time ago without revisiting wild cards, DNAME, EDNS0, IANA
DNSSEC has already been a success. I don't think the lack of will is
a bad thing or a sign of failure. But until there's a will, what can
be done besides advertising and marketing?
Edward Lewis +1-571-434-5468
Think glocally. Act confused.
More information about the dns-operations