[dns-operations] slack.com bogus
Michael Sinatra
michael at brokendns.net
Fri Oct 1 00:36:07 UTC 2021
On 9/30/21 4:30 PM, Viktor Dukhovni wrote:
>> On 30 Sep 2021, at 7:14 pm, Paul Ebersman <list-dns-operations at dragon.net> wrote:
>>
>> Which is actually impeding DNSSEC for domains where outages of DNS
>> instantly cause revenue issues. Knowing you're off the air in a
>> significant part of the world means a good deal of the alexa 1000 still
>> won't sign their "money" domains.
>
> And yet progress is being made even among these, and many of the
> arguments against are increasingly stale. Of the top 1k domains
> in a recent Tranco snapshot, 88 are signed. Yeah, NTAs are sometimes
> deployed, but sometimes also linger past their use-by, and should be
> avoided as much as possible, and as it becomes increasingly difficult
> to convince everyone to install an NTA the pressure will also be felt
> at the right place.
[snip]
I think part of the issue in this discussion is that the Slack failure
does not appear to be a failure to understand or correctly execute
DNSSEC. It's a failure to understand DNS, and particularly DNS caching.
DNSVIZ shows a correctly-signed and valid domain at the time that the
DS+DNSKEY+RRSIG records were unceremoniously yanked. So they *were*
doing DNSSEC right, but they decided to make a change, for whatever
reason, and didn't understand the effects of caching in the global system.
A similar shot-to-the-foot could have been accomplished by changing the
NS records to point to entirely new providers/hosts and immediately
shutting down the old NSes.
Yes, DNSSEC really does require a good understanding of caching and
TTLs, but there are other aspects of DNS that require such an
understanding. And I honestly hope I am seriously wrong here, but it
seems like that understanding of one of the fundamentals of DNS was
lacking here.
michael
More information about the dns-operations
mailing list