US government mandates? use of DNSSEC by federal agencies
David Conrad
drc at virtualized.org
Thu Aug 28 00:26:58 UTC 2008
Michael,
On Aug 27, 2008, at 5:15 PM, Michael Thomas wrote:
> Sure, but my point is that if DNSsec all of a sudden has some
> relevance
> which is not the case today, any false positives are going to come
> into
> pretty stark relief.
Yep.
> As in, .gov could quite possibly setting themselves
> up for self-inflicted denial of service given buginess in the signers,
> the verifiers or both.
Given how long the signers and verifiers have been around, I suspect a
more likely failure mode is folks running caching servers forgetting
to update trust anchors and/or signers forgetting to resign before the
validity period expires. However, bugs do happen...
> Given how integral DNS is to everything, it seems a little scary to
> just
> trust that all of that software across many, many vendors is going to
> interoperate at *scale*. It seems that some training wheels like an
> accept-failure-but-log mode with feedback like "your domain failed"
> to the domain's admins might be safer. At least for a while, as
> this new treadmill's operational care and feeding is established.
I agree and I know for certain this has been suggested in the past for
at least one of the validating caching servers. However, I gather
this hasn't been implemented....
Regards,
-drc
More information about the NANOG
mailing list