North American Network Operators Group
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: US government mandates? use of DNSSEC by federal agencies

  • From: Michael Thomas
  • Date: Wed Aug 27 14:04:02 2008
Jeroen Massar wrote:
Steven M. Bellovin wrote: 
On Wed, 27 Aug 2008 09:53:26 -0700
"Kevin Oberman" <[email protected]> wrote:

So the question I have is... will operators (ISP, etc) turn on
DNSsec checking? Or a more basic question of whether you even
_could_ turn on checking if you were so inclined?
As far as I can see, at least with bind-9.5, operators would have to
turn it off. It looks to me like dnssec-validation defaults to on. It
also appears that bind-9.4 defaults to 'off'. 
Right.  The real questions are the clients and the trust anchor -- what
root key do you support?


A distributed one. I personally don't really see an issue with
downloading a public key for every TLD out there. These keys could come
in a pack even by an OS distribution, nicely PGP signed et all...
Nobody in his right mind manages this per box anymore anyway, and
packages for distributions and auto-updates are well-present anyway.

The presence of a key file can also mean to the resolver that one
can/has_to check dnssec results.



Heh, maybe you could manage root key update like any other security
alert/update on your host OS... Of course embedded frobs that don't
auto-update like, oh say, your favorite router could be problematic.
And I'd assume that those key parts of the infrastructure are probably
not too keen on trusting their upstream resolver to do the checking
for them.

In any case, the point of my first question was really about the
concern of false positives. Do we really have any idea what will
happen if you hard fail dnssec failures? If I were running a large
site, I'd want to monitor the failures for a while. If nothing
else, dnssec is a complicated beast and bakeoffs can only flush
so many bugs out.

Mike