[dns-operations] DNSSEC impact on applications was Re: security-aware stub resolver

[Mark Andrews]

> On Montag, 26. Mai 2008 Mark Andrews wrote:
> >=A0Unless you have set CD in the query, you will only get
> > SERVFAIL on validation failures.
> 
> As long as there is (almost) no benefit in DNSSEC, but only lots of work=20
> to configure it, most people won't use it. When there's no way for=20
> users to know the the site they're surfing on is valid or not, DNSSEC=20
> is of no use for them. There should be an advantage on using DNSSEC=20
> against normal DNS, the browser being the most prominent target.
> 
> I'm almost sure the "smallest fish" on this list regarding DNS, being=20
> just an admin who tries to keep everything as secure as possible=20
> without breaking things (too much *eg*). If you only get SERVFAIL on=20
> invalid answers, users will complain that they cannot reach a site,=20
> because they can't know better from the error message they get. So=20
> keeping DNSSEC off is the only option for an ISP today to reduce=20
> support calls. That should definitely be changed if you want a=20
> widespread use of DNSSEC. Just my 2=A2.
 
	You get secure validated answers with "AD=1" if requested
	(DO or AD set in the query).
	You get insecure answers with "AD=0".
	You do not get answers that failed to validate.

	If you want to process answers that failed to validate set
	CD=1 and DO=1 and provide the application with its own trust
	anchors.  The application is then fully DNSSEC aware.

	Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org