[dns-operations] Odd behaviour on one node in I root-server (facebook, youtube & twitter)

Marco Davids (SIDN) marco.davids at sidn.nl
Wed Mar 31 09:44:01 UTC 2010

Lindqvist Kurt Erik wrote:

> Had the responses to the queries been signed
> with DNSSEC, and had the DNSSEC protocol been observed in the
> recipient end, it would have been obvious to the recipient that the
> data received was not the data published by the zone maintainers.

All fine and good, and I understand the desire to promote DNSSEC. This
argument is absolutely valid.

But still... it is only half the truth in my opinion.

For the sake of proper expectation management, the statement would have
been more accurate if there was also explicitely stated that DNSSEC
would not have helped enough in this particular case, just as was done
with the remark about the use of RPKI. A bogus answer is still bogus and
won't bring you where you want to go. Whether is is authenticated or not.

Until validating resolvers will retry at a completely other name server
in such a case, in order to try to fix wat is broken, DNSSEC just allows
you to discover that you have been fubared. Nothing more, nothing less.



More information about the dns-operations mailing list