North American Network Operators Group
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: US government mandates? use of DNSSEC by federal agencies

  • From: David Conrad
  • Date: Wed Aug 27 20:27:07 2008
Michael,

On Aug 27, 2008, at 5:15 PM, Michael Thomas wrote:
Sure, but my point is that if DNSsec all of a sudden has some relevance
which is not the case today, any false positives are going to come into
pretty stark relief.

Yep.

As in, .gov could quite possibly setting themselves
up for self-inflicted denial of service given buginess in the signers,
the verifiers or both.

Given how long the signers and verifiers have been around, I suspect a more likely failure mode is folks running caching servers forgetting to update trust anchors and/or signers forgetting to resign before the validity period expires. However, bugs do happen...

Given how integral DNS is to everything, it seems a little scary to just
trust that all of that software across many, many vendors is going to
interoperate at *scale*. It seems that some training wheels like an
accept-failure-but-log mode with feedback like "your domain failed"
to the domain's admins might be safer. At least for a while, as
this new treadmill's operational care and feeding is established.

I agree and I know for certain this has been suggested in the past for at least one of the validating caching servers. However, I gather this hasn't been implemented....

Regards,
-drc