[dns-operations] thoughts on DNSSEC

Vernon Schryver vjs at rhyolite.com
Wed Jul 18 13:55:50 UTC 2012

I've throught of a bigger, painfully obvious reason why "send mail to
support" is an unacceptable answer from a registrar for DNSSEC.  If
something happens that breaks DNSSEC validation, your entire domain
will be hosed for the 48 or more hours (e.g. over a long weekend) that
must be allowed for a mail support cycle.  If your registrar fat fingers
your DS RRs or you lose your key pair in a disk crash, your domain is
dead.  Given standard anti-spam checks valid envelope domain names,
it is possible that you won't even be able send mail to your registrar
except from a free mail provider or other third party account, worsening
the authentication and authorization concerns of changing keys by mail.
Today you can fix broken glue or delegations in minutes, but "send
mail to support for DNSSEC" sends you back to the bad old days decades
ago when a misplaced invoice or broken authoritative servers would
put you off the net for days.

It might not be quite that bad if your web users and mail recipients
are using old DNS resolvers.  But if they're using current code with
defaults such as BIND's "dnssec-enable yes", "dnssec-validation yes",
and "dnssec-accept-expired no", they'll get the nothing I get from

A second thought is prompted by Verisign's DNSSEC Scoreboard
Those suggest that a smaller than trivial number of com and net
domains are current signed, but that they've doubled in the last
couple of months.  There are a lot of com domains, but a doubling
time of 60 days wouldn't take long to make a big dent.

Vernon Schryver    vjs at rhyolite.com

More information about the dns-operations mailing list