[dns-operations] DNSSEC impact on applications was Re: security-aware stub resolver
drc at virtualized.org
Tue May 27 05:01:11 UTC 2008
On May 26, 2008, at 9:40 PM, Mark Andrews wrote:
>> Given the amount of deployment of DNSSEC and who is doing it, the
>> that you're getting _any_ validation failures does not bode well.
> Paul's the main culprit :-)
>> Ignoring the question of whether or not you trust the huge chunk of
>> non-trivial code written by others to not have vulnerabilities, I'd
>> point out that the work to add IPv6 has already been done for 10
>> and look how far that has gotten us.
> The biggest stumbling block with DNS and IPv6 was the root.
To clarify, I was speaking of IPv6 as a whole (not just IPv6 DNS).
> And I suspect people will stay skeptical until the root is
% dig @ns.iana.org . axfr
> What we need now is for the root operators to do what they
> did with IPv6 and supply a test service for DNSSEC. This
> would be a natural expansion of IANA's DNSSEC test which
> needs more than a single server.
I gave up on my attempts to get a DNSSEC root infrastructure deployed
due to some rather depressing layer 9 issues. I'll let somebody else
tilt at that particular windmill if the so desire. The machines
behind ns.iana.org and the (rather elaborate, arguably way over-
engineered, and extremely secure) signing infrastructure will continue
to operate if people want to make use of it.
More information about the dns-operations