[dns-operations] .PL DNSSEC broken again
Paul Vixie
paul at redbarn.org
Mon Jun 17 13:59:41 UTC 2019
On Monday, 17 June 2019 13:09:15 UTC bert hubert wrote:
> On Mon, Jun 17, 2019 at 04:49:34AM -0400, Viktor Dukhovni wrote:
> > > ...
>
> The problem is that from an operator point of view, DNSSEC is optional. They
> can just turn it off. This means they _do_ hold it to a higher standard
> because if it causes problems, they can do without it.
the purpose of dnssec was to make dns more fragile, by increasing both the
overall number of things that must be working in order to operate it, and the
share of things in dns which must be working in order to operate it. anyone
who wants reliability and is willing to trade off authenticity to get
reliability, should not be using dnssec. i hope there is nobody like that.
> > [ Large parts of the Google cloud failed for multiple hours quite
> > recently. I don't recall much consternation about cloud-service
> > adoption. ]
>
> We have very little choice there.
to the extent that i rely on parties who rely on clouds, that is so. my only
business use of a cloud is to hold encrypted backups, yet when google goes
down, they take a number of my critical suppliers with them. but it's wrong to
say we have no choices. for example, limiting the use of cloud resources, and
mixing in private cloud resources, and using multiple public clouds.
for dnssec, we need to reach the tipping point, where signers suffer more than
validators do, whenever keys or signatures are allowed to expire or are
wrongly maintained. to get there, we need more validators, even if those new
validating parties are being asked to take substantial short/medium term risk.
--
Paul
More information about the dns-operations
mailing list