[dns-operations] summary of recent vulnerabilities in DNS security.

[Vernon Schryver]

> From: Jim Reid <jim at rfc1035.com>

> So where are the incentives for resolver operators? If they switch
> on DNSSEC validation and get extra calls to customer support as a
> result, who pays?

Why not the same people as before?  Who besides farmers and squatters
(who don't care about DNSSEC) would object to paying 3 times as much
for DNSSEC?  That wouldn't leave us below the $50/year/domain #$%$#@!
of the outfit that took over from SRI.

Why would there be extra support calls?  Wrong keys are no worse
than wrong delegations or host records and only a little harder to
see because they are long strings of varying cybercrud.


> It's all well and good that registries offer bribes^Wincentives
> to their sales channel, but the demand side (ie validation) needs
> incentives too and their needs are very different from someone who
> sells domain names and DNSSEC signing services.

I don't understand.  Why would registrars get support calls about
validation problems?  Do they get calls now (that they answer) from
DNS resolver operators (other than big resolvers like Comcast)
for lame delegations?

With default validation on by default in DNS servers (in BIND and I
assume others) and validation by big ISPs and third party resolvers,
what changes still need incentives?


Everyone considering writing about the high costs and great difficulties
of DNSSEC should try DNSSEC before writing.  Starting before BIND
auto-signing, I found everything except dealing with a recalcitrant,
functionally stupid registrar no worse than dealing with certs for
HTTP and SMTP, like the cert that headers on Jim Reid's message suggest
he maintains.  With both DNSSEC and PKI/OpenSSL, I had to overcome
things I knew that were false, but that's life.  It's entertaining
with the right attitude.

And trust me, I won't be making DNSSEC support calls to my registrar.


Vernon Schryver    vjs at rhyolite.com