[dns-operations] DNSSEC impact on applications was Re: security-aware stub resolver
Michael Monnerie
michael.monnerie at it-management.at
Mon May 26 08:34:17 UTC 2008
On Montag, 26. Mai 2008 Mark Andrews wrote:
> Unless you have set CD in the query, you will only get
> SERVFAIL on validation failures.
As long as there is (almost) no benefit in DNSSEC, but only lots of work
to configure it, most people won't use it. When there's no way for
users to know the the site they're surfing on is valid or not, DNSSEC
is of no use for them. There should be an advantage on using DNSSEC
against normal DNS, the browser being the most prominent target.
I'm almost sure the "smallest fish" on this list regarding DNS, being
just an admin who tries to keep everything as secure as possible
without breaking things (too much *eg*). If you only get SERVFAIL on
invalid answers, users will complain that they cannot reach a site,
because they can't know better from the error message they get. So
keeping DNSSEC off is the only option for an ISP today to reduce
support calls. That should definitely be changed if you want a
widespread use of DNSSEC. Just my 2¢.
mfg zmi
--
// Michael Monnerie, Ing.BSc ----- http://it-management.at
// Tel: 0676/846 914 666 .network.your.ideas.
// PGP Key: "curl -s http://zmi.at/zmi.asc | gpg --import"
// Fingerprint: AC19 F9D5 36ED CD8A EF38 500E CE14 91F7 1C12 09B4
// Keyserver: www.keyserver.net Key-ID: 1C1209B4
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 194 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20080526/7e61a6b3/attachment.sig>
More information about the dns-operations
mailing list