[dns-operations] .PL DNSSEC broken again

Paul Vixie paul at redbarn.org
Mon Jun 17 13:59:41 UTC 2019

On Monday, 17 June 2019 13:09:15 UTC bert hubert wrote:
> On Mon, Jun 17, 2019 at 04:49:34AM -0400, Viktor Dukhovni wrote:
> > > ...
> The problem is that from an operator point of view, DNSSEC is optional. They
> can just turn it off. This means they _do_ hold it to a higher standard
> because if it causes problems, they can do without it.

the purpose of dnssec was to make dns more fragile, by increasing both the 
overall number of things that must be working in order to operate it, and the 
share of things in dns which must be working in order to operate it. anyone 
who wants reliability and is willing to trade off authenticity to get 
reliability, should not be using dnssec. i hope there is nobody like that.

> > [ Large parts of the Google cloud failed for multiple hours quite
> >   recently.  I don't recall much consternation about cloud-service
> >   adoption. ]
> We have very little choice there.

to the extent that i rely on parties who rely on clouds, that is so. my only 
business use of a cloud is to hold encrypted backups, yet when google goes 
down, they take a number of my critical suppliers with them. but it's wrong to 
say we have no choices. for example, limiting the use of cloud resources, and 
mixing in private cloud resources, and using multiple public clouds.

for dnssec, we need to reach the tipping point, where signers suffer more than 
validators do, whenever keys or signatures are allowed to expire or are 
wrongly maintained. to get there, we need more validators, even if those new 
validating parties are being asked to take substantial short/medium term risk.


More information about the dns-operations mailing list