[dns-operations] DNSSEC impact on applications was Re: security-aware stub resolver

Michael Monnerie michael.monnerie at it-management.at
Mon May 26 08:34:17 UTC 2008

On Montag, 26. Mai 2008 Mark Andrews wrote:
> Unless you have set CD in the query, you will only get
> SERVFAIL on validation failures.

As long as there is (almost) no benefit in DNSSEC, but only lots of work 
to configure it, most people won't use it. When there's no way for 
users to know the the site they're surfing on is valid or not, DNSSEC 
is of no use for them. There should be an advantage on using DNSSEC 
against normal DNS, the browser being the most prominent target.

I'm almost sure the "smallest fish" on this list regarding DNS, being 
just an admin who tries to keep everything as secure as possible 
without breaking things (too much *eg*). If you only get SERVFAIL on 
invalid answers, users will complain that they cannot reach a site, 
because they can't know better from the error message they get. So 
keeping DNSSEC off is the only option for an ISP today to reduce 
support calls. That should definitely be changed if you want a 
widespread use of DNSSEC. Just my 2¢.

mfg zmi
// Michael Monnerie, Ing.BSc    -----      http://it-management.at
// Tel: 0676/846 914 666                      .network.your.ideas.
// PGP Key:         "curl -s http://zmi.at/zmi.asc | gpg --import"
// Fingerprint: AC19 F9D5 36ED CD8A EF38  500E CE14 91F7 1C12 09B4
// Keyserver: www.keyserver.net                   Key-ID: 1C1209B4
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 194 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20080526/7e61a6b3/attachment.sig>

More information about the dns-operations mailing list