[dns-operations] DNSSEC impact on applications was Re: security-aware stub resolver

[David Conrad]

Mark,

On May 26, 2008, at 6:23 PM, Mark Andrews wrote:
> 	And if they stuff up their delegation you get the same thing.

Indeed.  So, we're adding another configuration knob for folks to  
screw up.  And when they do, I'd bet your life that the response from  
the call center will be "turn off DNSSEC".

> 	I get very few DNSSEC validation failures.  Most of the
> 	ones I've seen are delegation stuff ups (DSs not matching
> 	DNSKEYs).

Given the amount of deployment of DNSSEC and who is doing it, the fact  
that you're getting _any_ validation failures does not bode well.

> 	Sure they are non-trivial pieces of code but they only need
> 	to be written once then linked in.  The work has basically
> 	already been done.

Ignoring the question of whether or not you trust the huge chunk of  
non-trivial code written by others to not have vulnerabilities, I'd  
point out that the work to add IPv6 has already been done for 10 years  
and look how far that has gotten us.

The point I'm trying to make is that all by and large, all we've doing  
is adding perceived cost to DNS operations with little (if any)  
perceived benefit or reduced risk.  Given this, I do not believe  
you're going to get any real deployment of DNSSEC.  Yes, some folks  
will sign their zones.  Perhaps even the root will be signed some  
day.  But given the current state of things, I'm skeptical DNSSEC will  
actually be beneficial for much of anything.

Regards,
-drc