North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: US government mandates? use of DNSSEC by federal agencies

  • From: Michael Thomas
  • Date: Wed Aug 27 20:15:08 2008

David Conrad wrote:
On Aug 27, 2008, at 11:03 AM, Michael Thomas wrote:
In any case, the point of my first question was really about the
concern of false positives. Do we really have any idea what will
happen if you hard fail dnssec failures?

As far as I'm aware, there is no 'soft fail' for DNSSEC failures. In the caching servers I'm familiar with, if a name fails to validate, it used to be that it doesn't get cached and SERVFAIL is returned. Maybe that's been fixed?

Sure, but my point is that if DNSsec all of a sudden has some relevance which is not the case today, any false positives are going to come into pretty stark relief. As in, .gov could quite possibly setting themselves up for self-inflicted denial of service given buginess in the signers, the verifiers or both.

Given how integral DNS is to everything, it seems a little scary to just
trust that all of that software across many, many vendors is going to
interoperate at *scale*. It seems that some training wheels like an
accept-failure-but-log mode with feedback like "your domain failed"
to the domain's admins might be safer. At least for a while, as
this new treadmill's operational care and feeding is established.


Mike