[dns-operations] slack.com bogus

Paul Ebersman list-dns-operations at dragon.net
Thu Sep 30 23:14:34 UTC 2021


pe> If NASA borks their DNSSEC, the large recursive resolvers eat huge
pe> customer support costs but NASA is mostly unscathed (and may not
pe> even notice immediately). So the incentive to do better
pe> operationally is light for NASA but the resolver operators have very
pe> little leverage to encourage them to do better.

dukhovni> That was true then, but the pain felt by auth server operators
dukhovni> has growing a bunch as over time more of the world is doing
dukhovni> validation.

Which is actually impeding DNSSEC for domains where outages of DNS
instantly cause revenue issues. Knowing you're off the air in a
significant part of the world means a good deal of the alexa 1000 still
won't sign their "money" domains.

NTAs as a option (along with public "flush this domain" for large
recursives) blunt the arguments of DNSSEC haters that DNSSEC is too
fragile for valuable domains.

Not saying NTAs are wonderful. Just saying that they are a necessary
evil until we have better DS handling, key rollover software, industry
experience in operations. We did it (mostly) with certs and HTTPS and we
can do it with DNSSEC, but we're not there yet.



More information about the dns-operations mailing list