[dns-operations] .PL DNSSEC broken again
Viktor Dukhovni
ietf-dane at dukhovni.org
Mon Jun 17 18:37:33 UTC 2019
On Mon, Jun 17, 2019 at 03:09:15PM +0200, bert hubert wrote:
> The problem is that from an operator point of view, DNSSEC is optional. They
> can just turn it off. This means they _do_ hold it to a higher standard
> because if it causes problems, they can do without it.
I think that at this point the main problem is cultural, not
technical. We've been hearing gloom and doom about DNSSEC from
various folks for years, and the occasional outage which breaks
"only" data authentication is now an opportunity for confirmation
bias.
It would be more productive to stop calling these "DNSSEC" outages,
and simply call them "DNS" outages or as appropriate degradations
of service. Some DNS outages will be caused by operator error,
others by software defects, some both.
Authenticated DNS is more sensitive to some errors than unauthenticated
DNS, but the latter is more vulnerable to attack. I'd like to see
continued growth of authenticated DNS with operators paying better
attention to monitoring, which would improve DNS reliability more
broadly, beyond just authentication-related issues.
It is time to "grow up", accept that DNS == DNSSEC, and operate it
accordingly. There are more[1] than 10 million DNSSEC-signed
domains, and a large fraction of users behind validating resolvers:
64.6.65.6
64.6.64.6
9.9.9.9
8.8.8.8
8.8.4.4
1.1.1.1
1.0.0.1
If some important aspect of your DNS is not working, then your DNS
is not working... Monitor it closely and fix it expeditiously.
--
Viktor.
[1] My survey has only found ~9.9 million so far, but there are
TLDs whose authoritative signed domain counts are significantly
higher than what I've been able to discover.
More information about the dns-operations
mailing list