[dns-operations] DNSSEC impact on applications was Re: security-aware stub resolver

David Conrad drc at virtualized.org
Tue May 27 05:01:11 UTC 2008


On May 26, 2008, at 9:40 PM, Mark Andrews wrote:
>> Given the amount of deployment of DNSSEC and who is doing it, the  
>> fact
>> that you're getting _any_ validation failures does not bode well.
> 	Paul's the main culprit :-)


>> Ignoring the question of whether or not you trust the huge chunk of
>> non-trivial code written by others to not have vulnerabilities, I'd
>> point out that the work to add IPv6 has already been done for 10  
>> years
>> and look how far that has gotten us.
> 	The biggest stumbling block with DNS and IPv6 was the root.

To clarify, I was speaking of IPv6 as a whole (not just IPv6 DNS).

> 	And I suspect people will stay skeptical until the root is
> 	signed.

% dig @ns.iana.org . axfr

> 	What we need now is for the root operators to do what they
> 	did with IPv6 and supply a test service for DNSSEC.  This
> 	would be a natural expansion of IANA's DNSSEC test which
> 	needs more than a single server.

I gave up on my attempts to get a DNSSEC root infrastructure deployed  
due to some rather depressing layer 9 issues.  I'll let somebody else  
tilt at that particular windmill if the so desire.  The machines  
behind ns.iana.org and the (rather elaborate, arguably way over- 
engineered, and extremely secure) signing infrastructure will continue  
to operate if people want to make use of it.


More information about the dns-operations mailing list