[dns-operations] summary of recent vulnerabilities in DNS security.
rubensk at nic.br
Tue Oct 22 23:35:08 UTC 2013
Em 22/10/2013, às 20:40, Jim Reid escreveu:
> On 22 Oct 2013, at 22:53, Rubens Kuhl <rubensk at nic.br> wrote:
>> .nl and .cz got massive registrar adoption to DNSSEC offering business incentives, so it seems business side accounts for most of it.
> So where are the incentives for resolver operators? If they switch on DNSSEC validation and get extra calls to customer support as a result, who pays? How many calls does customer support get before this wipes out an ISP's profit margin? This is another hurdle that has to be overcome somehow if DNSSEC is to be adopted.
> It's all well and good that registries offer bribes^Wincentives to their sales channel, but the demand side (ie validation) needs incentives too and their needs are very different from someone who sells domain names and DNSSEC signing services.
What I observed on a local level was connectivity providers that were once hit by DNS attacks, whether those attacks could be mitigated by DNSSEC or not, to rush into deploying DNSSEC. So besides profit margins, potential liability costs (like "I was trying to use my Internet Banking and was defrauded") are also economic incentives to deploy DNSSEC-validating resolvers.
Talking to connectivity providers indicated they would see more value in DNSSEC if both more domains and the most used domains were DNSSEC-signed. We addressed the first part and are coming close to half a million DNSSEC domains in .br (without offering bri^H^H^Hincentives to sales channels), but most Top-N sites are still not signed with DNSSEC, so they still have an excuse. That contradicts a cost-based view of the issue, as having more DNSSEC-signed popular domains will only lead to more support calls with resolution issues, so either they won't do it either way, or they are indeed acting on a value-based view of the issue.
More information about the dns-operations