North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Paul Vixie: Re: [dns-operations] DNS issue accidentally leaked?

  • From: Joe Abley
  • Date: Thu Jul 24 11:13:35 2008


On 24 Jul 2008, at 10:56, Joe Greco wrote:


MY move? Fine. You asked for it. Had I your clout, I would have used
this opportunity to convince all these new agencies that the security of
the Internet was at risk, and that getting past the "who holds the keys"
for the root zone should be dealt with at a later date. Get the root
signed and secured.

Even if that was done today, there would still be a risk of cache poisoning for months and years to come.


You're confusing the short-term and the long-term measures, here.

Get the GTLD's signed and secured.

I encourage you to read some of the paper trail involved with getting ORG signed, something that the current roadmap still doesn't accommodate for the general population of child zones until 2010. It might be illuminating.


Even once everything is signed and working well to the zones that registries are publishing, we need to wait for registrars to offer DNSSEC key management to their customers.

Even once registrars are equipped, we need people who actually host customer zones to sign them, and to acquire operational competence required to do so well.

And even after all this is done, we need a noticeable proportion of the world's caching resolvers to turn on validation, and to keep validation turned on even though the helpdesk phone is ringing off the hook because the people who host the zones your customers are trying to use haven't quite got the hang of DNSSEC yet, and their signatures have all expired.

Compared with the problem of global DNSSEC deployment, getting everybody in the world to patch their resolvers looks easy.


Joe