[dns-operations] slack.com bogus
Viktor Dukhovni
ietf-dane at dukhovni.org
Thu Sep 30 23:04:19 UTC 2021
> On 30 Sep 2021, at 6:54 pm, Paul Ebersman <list-dns-operations at dragon.net> wrote:
>
> If NASA borks their DNSSEC, the large recursive resolvers eat huge
> customer support costs but NASA is mostly unscathed (and may not even
> notice immediately). So the incentive to do better operationally is
> light for NASA but the resolver operators have very little leverage to
> encourage them to do better.
That was true then, but the pain felt by auth server operators has
growing a bunch as over time more of the world is doing validation.
> I hold up most of .milnet as an example of years of DNSSEC breakage
> making very little headway in operational improvements. While a lot of
> that is due to it being an unfunded mandate for years, breakage
> certainly hasn't improved things much faster.
The milnet domains have been getting better at DNS lately. They
no longer drop TLSA queries, have DANE deployed for the mail.mil
MX hosts, and at least for the major domains are showing better
stability than in the past. Perhaps they're running software
stacks that make the job easier.
> NTAs shouldn't be over-used/abused but there's no question they have
> significantly moved the needle in getting recursive operators to
> validate, which is a huge part of what's needed in wide scale DNSSEC
> deployment being useful.
Just flushing the cache is a good first step short of an NTA, that
addresses the issue at hand, without introducing stuff to later
(forget to) undo.
--
Viktor.
More information about the dns-operations
mailing list