[dns-operations] slack.com bogus

Michael Sinatra michael at brokendns.net
Fri Oct 1 00:36:07 UTC 2021


On 9/30/21 4:30 PM, Viktor Dukhovni wrote:
>> On 30 Sep 2021, at 7:14 pm, Paul Ebersman <list-dns-operations at dragon.net> wrote:
>>
>> Which is actually impeding DNSSEC for domains where outages of DNS
>> instantly cause revenue issues. Knowing you're off the air in a
>> significant part of the world means a good deal of the alexa 1000 still
>> won't sign their "money" domains.
> 
> And yet progress is being made even among these, and many of the
> arguments against are increasingly stale.  Of the top 1k domains
> in a recent Tranco snapshot, 88 are signed.  Yeah, NTAs are sometimes
> deployed, but sometimes also linger past their use-by, and should be
> avoided as much as possible, and as it becomes increasingly difficult
> to convince everyone to install an NTA the pressure will also be felt
> at the right place.

[snip]

I think part of the issue in this discussion is that the Slack failure 
does not appear to be a failure to understand or correctly execute 
DNSSEC.  It's a failure to understand DNS, and particularly DNS caching.

DNSVIZ shows a correctly-signed and valid domain at the time that the 
DS+DNSKEY+RRSIG records were unceremoniously yanked.  So they *were* 
doing DNSSEC right, but they decided to make a change, for whatever 
reason, and didn't understand the effects of caching in the global system.

A similar shot-to-the-foot could have been accomplished by changing the 
NS records to point to entirely new providers/hosts and immediately 
shutting down the old NSes.

Yes, DNSSEC really does require a good understanding of caching and 
TTLs, but there are other aspects of DNS that require such an 
understanding.  And I honestly hope I am seriously wrong here, but it 
seems like that understanding of one of the fundamentals of DNS was 
lacking here.

michael




More information about the dns-operations mailing list