[dns-operations] .PL DNSSEC broken again

Rayhelson, Michael rayhelso at amazon.com
Tue Jun 18 07:02:27 UTC 2019

Small correction - you do not even need a CDN for pre-signing to become unmanageable. 
All it takes is a scenario like "take these X IP addresses, filter out the unhealthy ones and return random Z of them".

But yes - it is not uncommon for CDN (or any cloud scenarios, for that matter) to be in a situation where the name has one owner - but A and AAAA are provided by someone else, who does not even know what the name in question is.

It is also worth noting that unlike TLS, which protects scenarios end-to-end, DNSSEC protects just the DNS resolution part. So, it is only rational for people to prefer spending their security allowances on the former if doing both gets too expensive.

    Mark Andrews writes:

    > I?ve yet to see a case where ?on the fly? signing is necessary.  All
    > you need to do is be able to publish different RRsets with their matching
    > RRSIGs all of which can be precomputed.
    Theoretically true, but there are indeed some zones, such as some CDN
    zones, which for which the number of possible RRsets is so great that
    in practical terms you can't precompute and store them all.
    You can argue against the legitimacy of that architecture, but that's
    a different claim.
    That said, I basically agree with you that a perceived need for
    on-the-fly signing is not a real blocker for most of the non-adoption.

More information about the dns-operations mailing list