[dns-operations] DNSSEC impact on applications was Re: security-aware stub resolver
drc at virtualized.org
Tue May 27 00:44:55 UTC 2008
On May 26, 2008, at 3:18 PM, Mark Andrews wrote:
>> If you only get SERVFAIL on
>> invalid answers, users will complain that they cannot reach a site,
>> because they can't know better from the error message they get. So
>> keeping DNSSEC off is the only option for an ISP today to reduce
>> support calls. That should definitely be changed if you want a
>> widespread use of DNSSEC.
> You do not get answers that failed to validate.
This is, I believe, the problem. Instead of getting an indication
that validation failed, you get the same response you'd get if someone
unplugged your router. This will result in support calls which will
result in caching server operators turning off DNSSEC.
> If you want to process answers that failed to validate set
> CD=1 and DO=1 and provide the application with its own trust
> anchors. The application is then fully DNSSEC aware.
You forgot the part about the application having an actual validator
embedded in it. As you are no doubt aware, validators are non-trivial
hunks of code (with all that entails).
More information about the dns-operations