[dns-operations] DNSSEC impact on applications was Re: security-aware stub resolver

David Conrad drc at virtualized.org
Tue May 27 00:44:55 UTC 2008


On May 26, 2008, at 3:18 PM, Mark Andrews wrote:
>> If you only get SERVFAIL on
>> invalid answers, users will complain that they cannot reach a site,
>> because they can't know better from the error message they get. So
>> keeping DNSSEC off is the only option for an ISP today to reduce
>> support calls. That should definitely be changed if you want a
>> widespread use of DNSSEC.
> 	You do not get answers that failed to validate.

This is, I believe, the problem.  Instead of getting an indication  
that validation failed, you get the same response you'd get if someone  
unplugged your router.  This will result in support calls which will  
result in caching server operators turning off DNSSEC.

> 	If you want to process answers that failed to validate set
> 	CD=1 and DO=1 and provide the application with its own trust
> 	anchors.  The application is then fully DNSSEC aware.

You forgot the part about the application having an actual validator  
embedded in it.  As you are no doubt aware, validators are non-trivial  
hunks of code (with all that entails).


More information about the dns-operations mailing list