[dns-operations] Side effects of enabling DNSSEC?

Vernon Schryver vjs at rhyolite.com
Fri Aug 3 10:27:51 UTC 2012

> From: Mohamed Lrhazi <ml623 at georgetown.edu>

> I am learning DNSSEC and was wondering if there was any side effects
> to enabling DNSSEC on a domain, if there were mistakes in the
> configuration?
> In other words, if I were to enable DNSSEC on a zone, and miss something,
> could I effect anything other than DNSSEC validation itself? and if I did
> effect it, how bad would that be? and also, how would you go about testing
> that everything is working fine once enabled?

If the signatures don't work, then resolvers that pay attention to
DNSSEC will answer requests for your DNS records with SERVFAIL.

> I guess I should ask the same question about side effects when there are no
> configuration mistakes at all :) Should I expect anything to break because
> now DNSSEC is enabled and working?

More stuff always means more stuff that can and so will break.

I think that there are better questions:
    1. Will you ever enable DNSSEC on your domains?
    2. If so, should you do it now or later?

#1 is for you to answer.
If your answer for #1 is "yes", then the answer for #2 is that you
should join the DNSSEC party yesterday or today at the latest.
Because current versions of BIND pay attention to DNSSEC by default,
ever larger fractions of the Internet and eventually most of it
(well, outside the jurisdictions of 'authoritative regimes')
will penalize DNSSEC errors with SERVFAIL.  I suspect that today only
a large minority the Internet does that, and so now is the time to learn
from the inevitable mistakes.  Today you might need to use `dig +dnssec`
or `dig +adflag` to see the effects of DNSSEC.  Tomorrow you will need
to use `dig +cdflag` to not see them.

For example, I get a long delay and then SERVFAIL for
`dig www.dnssec-failed.org` from a resolver with the BIND9.9 default
for dnssec-validation.  A real life instead of artificial example
also found on http://www.dnssec.comcast.net/ is the quick SERVFAIL that
I get from `dig usbountyhunters.com`

Vernon Schryver    vjs at rhyolite.com

More information about the dns-operations mailing list