[dns-operations] .PL DNSSEC broken again

John Levine johnl at taugh.com
Tue Jun 18 03:20:24 UTC 2019


In article <20190617220327.GV84864 at straasha.imrryr.org> you write:
>> (a) Complexity of understanding/operating DNSSEC (this has reduced over
>>     the years)
>> 
>> (b) Lack of knowledge/interest
>> 
>> (c) Lack of software implementation
>> 
>> (d) Risk of operational problems (considered vs. risk of poisoning)
>
>I vote for:
>
>  (e) Long capital infrastructure replacement cycles.

That's partly it, but there's a lot of (c).  DNS servers and caches
support DNSSEC fine, but the crudware that provisions the zones
largely doesn't.

I've been complaining for years that I have 300 signed zones on my DNS
server but less than 150 of them validate because I have no practical
way to install the DS in the parent zone.  When my users register
names through me (I'm a Tucows reseller) it's easy, but with anyone
else, I'd have to ask for their registrar passwords and impersonate
them to set it up.

Whenever I mention this, people say oh, yeah, we should do something
about that, perhaps more aggressive CDS or something.  Years pass,
nothing happens, which tells me that making DNSSEC work is not a
problem that anyone really thinks is worth solving.

R's,
John



More information about the dns-operations mailing list