[dns-operations] summary of recent vulnerabilities in DNS security.

Jared Mauch jared at puck.nether.net
Tue Oct 22 19:28:27 UTC 2013


On Oct 22, 2013, at 7:42 AM, Daniel Kalchev <daniel at digsys.bg> wrote:

> I for one, do not believe DNSSEC is any difficult. I have turned DNSSEC wherever I can. It has become easier and easier in the past few years to the point I would call deploying DNSSEC today trivial. I have therefore changed my stance with people considering DNSSEC deployment from "careful, this stuff needs special attention" to "good, encourage those guys".
> 
> See, I can answer such questions. Why can't others?

It's difficult because there is not universal support amongst registrars.  Once again the wheel gets stuck when the technical side meets the business side.  Before someone says "switch registrar", it's usually not that easy and then becomes something resembling a full time project vs "just throwing a switch".

Edit a zone file vs "edit, run a script, upload some keys, roll some keys, do some other magic" is harder than edit a zone file.

This runs into the same friction issue that using PGP and other tools encounter.  It seems simple enough to most folks, but when you add in someone less-technical, it goes off the rails quickly.  I can't count the number of times someone emailed me their full keyring or private key when they meant public.  It's not as easy as you think it is.

- Jared


More information about the dns-operations mailing list