[dns-operations] thoughts on DNSSEC

Daniel Kalchev daniel at digsys.bg
Wed Jul 18 14:17:04 UTC 2012

Obviously, e-mail authentication is not appropriate, as is any in-band 
authentication as well.

Proper DNSSEC implementations should use end-to-end electronic signatures.

For example, while implementing DNSSEC back in 2007, we have made it 
mandatory in the BG registry to use qualified electronic signatures in 
order to manipulate DNSSEC. About the only operation you can do without 
it is "turn DNSSEC off" and for this to work you need other than e-mail 

As for the lack of mass DNSSEC participation -- the culprit is the "if 
it ain't broken don't fix it" translation of "put something in there and 
forget" attitude of the typical DNS administrator. Turning on DNSSEC in 
as many resolvers as possible (best, on any new personal device) is the 
most effective tool to fight laziness.


On 18.07.12 16:55, Vernon Schryver wrote:
> I've throught of a bigger, painfully obvious reason why "send mail to
> support" is an unacceptable answer from a registrar for DNSSEC.  If
> something happens that breaks DNSSEC validation, your entire domain
> will be hosed for the 48 or more hours (e.g. over a long weekend) that
> must be allowed for a mail support cycle.  If your registrar fat fingers
> your DS RRs or you lose your key pair in a disk crash, your domain is
> dead.  Given standard anti-spam checks valid envelope domain names,
> it is possible that you won't even be able send mail to your registrar
> except from a free mail provider or other third party account, worsening
> the authentication and authorization concerns of changing keys by mail.
> Today you can fix broken glue or delegations in minutes, but "send
> mail to support for DNSSEC" sends you back to the bad old days decades
> ago when a misplaced invoice or broken authoritative servers would
> put you off the net for days.
> It might not be quite that bad if your web users and mail recipients
> are using old DNS resolvers.  But if they're using current code with
> defaults such as BIND's "dnssec-enable yes", "dnssec-validation yes",
> and "dnssec-accept-expired no", they'll get the nothing I get from
> http://www.dnssec-failed.com.
> A second thought is prompted by Verisign's DNSSEC Scoreboard
> http://scoreboard.verisignlabs.com/
> http://scoreboard.verisignlabs.com/count-trace.png
> http://scoreboard.verisignlabs.com/percent-trace.png
> Those suggest that a smaller than trivial number of com and net
> domains are current signed, but that they've doubled in the last
> couple of months.  There are a lot of com domains, but a doubling
> time of 60 days wouldn't take long to make a big dent.
> Vernon Schryver    vjs at rhyolite.com
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

More information about the dns-operations mailing list