[dns-operations] .PL DNSSEC broken again
rayhelso at amazon.com
Tue Jun 18 21:27:54 UTC 2019
A small correction - you do not even need a CDN for pre-signing to become unmanageable.
All it takes is a scenario like "take these X IP addresses, filter out the unhealthy ones and return random Z of them".
But yes - it is not uncommon for a CDN (or any cloud scenarios, for that matter) to be in a situation where the name has one owner - but A and AAAA are provided by someone else, who does not even know what the name in question is.
It is also worth noting that, unlike TLS, DNSSEC protects just the DNS resolution part. So, it is fairly easy for TLS-based improvements to win both wrt the cost and the benefits.
Mark Andrews writes:
> I?ve yet to see a case where ?on the fly? signing is necessary. All
> you need to do is be able to publish different RRsets with their matching
> RRSIGs all of which can be precomputed.
Theoretically true, but there are indeed some zones, such as some CDN
zones, which for which the number of possible RRsets is so great that
in practical terms you can't precompute and store them all.
You can argue against the legitimacy of that architecture, but that's
a different claim.
That said, I basically agree with you that a perceived need for
on-the-fly signing is not a real blocker for most of the non-adoption.
More information about the dns-operations