[dns-operations] summary of recent vulnerabilities in DNS security.

Stephane Bortzmeyer bortzmeyer at nic.fr
Fri Oct 25 12:20:52 UTC 2013

On Tue, Oct 22, 2013 at 11:59:04PM +0000,
 Vernon Schryver <vjs at rhyolite.com> wrote 
 a message of 50 lines which said:

> Why would there be extra support calls?  Wrong keys are no worse
> than wrong delegations 

Of course, they are worse. In the vast majority of cases, lame
delegations (or other mistakes) do not prevent resolution (as long as
one name server works). A wrong key can completely prevent resolution,
leading to a loss of service. The DNS is extremely robust, you have to
try very hard to break it. With DNSSEC, it's the opposite, you have to
be very careful for it to work.

> Why would registrars get support calls about validation problems?
> Do they get calls now (that they answer) from DNS resolver operators
> (other than big resolvers like Comcast) for lame delegations?

See above. "I cannot visit http://www.онлайн/ while it works from
$OTHERISP so it's your fault".

More information about the dns-operations mailing list