[dns-operations] Quad9 DNSSEC Validation?
paul at redbarn.org
Sun Feb 28 19:38:49 UTC 2021
On Sun, Feb 28, 2021 at 06:37:48AM -0600, Scott Morizot wrote:
> > ...
> > https://dnsviz.net/d/irs.gov/XqOruQ/dnssec/?no_js=1
> Yes, that failure was a big deal to us when it happened last spring. There
> were a number of factors that led to it, some of them pandemic related, and
> it created a major disruption across our enterprise network, not just for
> Internet users. It was also a relatively pretty brief interruption in the
> night in the US. The history of it in DNSViz is mostly from me working on
> the problem. And it was resolved in a few hours.
> At the IRS, we have DNSSEC validation enabled throughout our recursive
> infrastructure and most of our internal DNS is also signed. If anything
> fails in our infrastructure and signing, it impacts 100% of our employees
> as well as the roughly one third of client queries in the US that originate
> exclusively from behind DNSSEC validating recursive nameservers.
i think this is precisely the ideal attitude to take about DNSSEC, which at
heart is a complicated way to increase the fragility of the DNS and add many
new failure cases, but all in the service of something more important. thank
you for doing it this way and for taking time to explain it to everybody.
> Nobody contacted us. There is no reason to rush to put in a negative trust
> anchor that quickly absent some sort of public outcry, which did not occur.
> And there is certainly no reason for it to still be in place almost a year
the technology of negative trust anchors is exactly as wrongheaded as it can
possibly be. the pressure to not break stuff should be unrelenting, and the
cost of breaking it should be extreme. also, negative trust anchors aren't
part of the global MIB, and lead to different behaviour for different users.
please consider offering to present your DNSSEC policies and experiences at
an upcoming DNS-OARC meeting. fur may fly, but, usefully so.
More information about the dns-operations