[107199] in North American Network Operators' Group
Re: US government mandates? use of DNSSEC by federal agencies
daemon@ATHENA.MIT.EDU (David Conrad)
Wed Aug 27 20:27:06 2008
From: David Conrad <drc@virtualized.org>
To: Michael Thomas <mike@mtcc.com>
In-Reply-To: <48B5EE05.1080708@mtcc.com>
Date: Wed, 27 Aug 2008 17:26:58 -0700
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
Michael,
On Aug 27, 2008, at 5:15 PM, Michael Thomas wrote:
> Sure, but my point is that if DNSsec all of a sudden has some
> relevance
> which is not the case today, any false positives are going to come
> into
> pretty stark relief.
Yep.
> As in, .gov could quite possibly setting themselves
> up for self-inflicted denial of service given buginess in the signers,
> the verifiers or both.
Given how long the signers and verifiers have been around, I suspect a
more likely failure mode is folks running caching servers forgetting
to update trust anchors and/or signers forgetting to resign before the
validity period expires. However, bugs do happen...
> Given how integral DNS is to everything, it seems a little scary to
> just
> trust that all of that software across many, many vendors is going to
> interoperate at *scale*. It seems that some training wheels like an
> accept-failure-but-log mode with feedback like "your domain failed"
> to the domain's admins might be safer. At least for a while, as
> this new treadmill's operational care and feeding is established.
I agree and I know for certain this has been suggested in the past for
at least one of the validating caching servers. However, I gather
this hasn't been implemented....
Regards,
-drc
