[dns-operations] DNSSEC impact on applications was Re: security-aware stub resolver
drc at virtualized.org
Tue May 27 04:07:31 UTC 2008
On May 26, 2008, at 6:23 PM, Mark Andrews wrote:
> And if they stuff up their delegation you get the same thing.
Indeed. So, we're adding another configuration knob for folks to
screw up. And when they do, I'd bet your life that the response from
the call center will be "turn off DNSSEC".
> I get very few DNSSEC validation failures. Most of the
> ones I've seen are delegation stuff ups (DSs not matching
Given the amount of deployment of DNSSEC and who is doing it, the fact
that you're getting _any_ validation failures does not bode well.
> Sure they are non-trivial pieces of code but they only need
> to be written once then linked in. The work has basically
> already been done.
Ignoring the question of whether or not you trust the huge chunk of
non-trivial code written by others to not have vulnerabilities, I'd
point out that the work to add IPv6 has already been done for 10 years
and look how far that has gotten us.
The point I'm trying to make is that all by and large, all we've doing
is adding perceived cost to DNS operations with little (if any)
perceived benefit or reduced risk. Given this, I do not believe
you're going to get any real deployment of DNSSEC. Yes, some folks
will sign their zones. Perhaps even the root will be signed some
day. But given the current state of things, I'm skeptical DNSSEC will
actually be beneficial for much of anything.
More information about the dns-operations