Paul Vixie: Re: [dns-operations] DNS issue accidentally leaked?

Joe Abley jabley at
Thu Jul 24 15:13:24 UTC 2008

On 24 Jul 2008, at 10:56, Joe Greco wrote:

> MY move?  Fine.  You asked for it.  Had I your clout, I would have  
> used
> this opportunity to convince all these new agencies that the  
> security of
> the Internet was at risk, and that getting past the "who holds the  
> keys"
> for the root zone should be dealt with at a later date.  Get the root
> signed and secured.

Even if that was done today, there would still be a risk of cache  
poisoning for months and years to come.

You're confusing the short-term and the long-term measures, here.

> Get the GTLD's signed and secured.

I encourage you to read some of the paper trail involved with getting  
ORG signed, something that the current roadmap still doesn't  
accommodate for the general population of child zones until 2010. It  
might be illuminating.

Even once everything is signed and working well to the zones that  
registries are publishing, we need to wait for registrars to offer  
DNSSEC key management to their customers.

Even once registrars are equipped, we need people who actually host  
customer zones to sign them, and to acquire operational competence  
required to do so well.

And even after all this is done, we need a noticeable proportion of  
the world's caching resolvers to turn on validation, and to keep  
validation turned on even though the helpdesk phone is ringing off the  
hook because the people who host the zones your customers are trying  
to use haven't quite got the hang of DNSSEC yet, and their signatures  
have all expired.

Compared with the problem of global DNSSEC deployment, getting  
everybody in the world to patch their resolvers looks easy.


More information about the NANOG mailing list