Paul Vixie: Re: [dns-operations] DNS issue accidentally leaked?
jabley at ca.afilias.info
Thu Jul 24 15:13:24 UTC 2008
On 24 Jul 2008, at 10:56, Joe Greco wrote:
> MY move? Fine. You asked for it. Had I your clout, I would have
> this opportunity to convince all these new agencies that the
> security of
> the Internet was at risk, and that getting past the "who holds the
> for the root zone should be dealt with at a later date. Get the root
> signed and secured.
Even if that was done today, there would still be a risk of cache
poisoning for months and years to come.
You're confusing the short-term and the long-term measures, here.
> Get the GTLD's signed and secured.
I encourage you to read some of the paper trail involved with getting
ORG signed, something that the current roadmap still doesn't
accommodate for the general population of child zones until 2010. It
might be illuminating.
Even once everything is signed and working well to the zones that
registries are publishing, we need to wait for registrars to offer
DNSSEC key management to their customers.
Even once registrars are equipped, we need people who actually host
customer zones to sign them, and to acquire operational competence
required to do so well.
And even after all this is done, we need a noticeable proportion of
the world's caching resolvers to turn on validation, and to keep
validation turned on even though the helpdesk phone is ringing off the
hook because the people who host the zones your customers are trying
to use haven't quite got the hang of DNSSEC yet, and their signatures
have all expired.
Compared with the problem of global DNSSEC deployment, getting
everybody in the world to patch their resolvers looks easy.
More information about the NANOG