US government mandates? use of DNSSEC by federal agencies

David Conrad drc at virtualized.org
Wed Aug 27 19:26:58 CDT 2008


Michael,

On Aug 27, 2008, at 5:15 PM, Michael Thomas wrote:
> Sure, but my point is that if DNSsec all of a sudden has some  
> relevance
> which is not the case today, any false positives are going to come  
> into
> pretty stark relief.

Yep.

> As in, .gov could quite possibly setting themselves
> up for self-inflicted denial of service given buginess in the signers,
> the verifiers or both.

Given how long the signers and verifiers have been around, I suspect a  
more likely failure mode is folks running caching servers forgetting  
to update trust anchors and/or signers forgetting to resign before the  
validity period expires.  However, bugs do happen...

> Given how integral DNS is to everything, it seems a little scary to  
> just
> trust that all of that software across many, many vendors is going to
> interoperate at *scale*. It seems that some training wheels like an
> accept-failure-but-log mode with feedback like "your domain failed"
> to the domain's admins might be safer. At least for a while, as
> this new treadmill's operational care and feeding is established.

I agree and I know for certain this has been suggested in the past for  
at least one of the validating caching servers.  However, I gather  
this hasn't been implemented....

Regards,
-drc





More information about the NANOG mailing list