[dns-operations] DNSSEC impact on applications was Re: security-aware stub resolver

Mark Andrews Mark_Andrews at isc.org
Tue May 27 04:40:42 UTC 2008


> Mark,
> 
> On May 26, 2008, at 6:23 PM, Mark Andrews wrote:
> > 	And if they stuff up their delegation you get the same thing.
> 
> Indeed.  So, we're adding another configuration knob for folks to  
> screw up.  And when they do, I'd bet your life that the response from  
> the call center will be "turn off DNSSEC".
> 
> > 	I get very few DNSSEC validation failures.  Most of the
> > 	ones I've seen are delegation stuff ups (DSs not matching
> > 	DNSKEYs).
> 
> Given the amount of deployment of DNSSEC and who is doing it, the fact  
> that you're getting _any_ validation failures does not bode well.

	Paul's the main culprit :-)
 
> > 	Sure they are non-trivial pieces of code but they only need
> > 	to be written once then linked in.  The work has basically
> > 	already been done.
> 
> Ignoring the question of whether or not you trust the huge chunk of  
> non-trivial code written by others to not have vulnerabilities, I'd  
> point out that the work to add IPv6 has already been done for 10 years  
> and look how far that has gotten us.

	The biggest stumbling block with DNS and IPv6 was the root.

	Everybody waited for the root to be served over IPv6 as
	what is the point of trying to run a IPv6 only network when
	I can't even make my DNS lookups over IPv6.  People didn't
	complain about problems further down the tree because you
	had to do root lookups over IPv4.

	You will notice that people started to complain about
	problems further down the tree once the roots were served
	over IPv6.  The obvious come back was no longer there.

> The point I'm trying to make is that all by and large, all we've doing  
> is adding perceived cost to DNS operations with little (if any)  
> perceived benefit or reduced risk.  Given this, I do not believe  
> you're going to get any real deployment of DNSSEC.  Yes, some folks  
> will sign their zones.  Perhaps even the root will be signed some  
> day.  But given the current state of things, I'm skeptical DNSSEC will  
> actually be beneficial for much of anything.

	And I suspect people will stay skeptical until the root is
	signed.

	What we need now is for the root operators to do what they
	did with IPv6 and supply a test service for DNSSEC.  This
	would be a natural expansion of IANA's DNSSEC test which
	needs more than a single server.

	Mark

> Regards,
> -drc
> 
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org



More information about the dns-operations mailing list