hat tip to .gov hostmasters

Florian Weimer fweimer at bfk.de
Mon Sep 22 10:20:18 CDT 2008

* Keith Medcalf:

>> Correct, you need a validating, security-aware stub resolver, or the
>> ISP needs to validate the records for you.
> That would defeat the entire purpose of using DNSSEC.  In order for
>DNSSEC to actually provide any improvement in security whatsoever,
>the ROOT ZONE (.) needs to be signed, and every delegation up the
>chain needs to be signed.  And EVERY resolver (whether recursive or
>local on host) needs to understand and enforce DNSSEC.

Either the resolver needs to enforce, or the host.  It's not necessary
to do both.  It's also not strictly necessary that the root is signed,
provided that there is some way to manage the trust anchors (either
through software updates, like it is done for the browser CA list, or
through regular DNS management at the ISP resolver).

> If even one delegation is unsigned or even one resolver does not
> enforce DNSSEC, then, from an actual security perspective, you will
> be far worse off than you are now.


> Until such time as EVERY SINGLE DOMAIN including the root is signed
> and every single DNS Server and resolver (including the local host
> resolvers) understand and enforce DNSSEC you should realize that
> DNSSEC does nothing for you whatsoever except give the uneducated a
> false sense of "security".

DNSSEC is totally invisible to the end user.  There won't be any
browser icon that says "it's okay to enter your PII here because the
zone is DNSSEC-signed".  It's purely an infrastructure measure, like
physically securing your routers.

Florian Weimer                <fweimer at bfk.de>
BFK edv-consulting GmbH       http://www.bfk.de/
Kriegsstraße 100              tel: +49-721-96201-1
D-76133 Karlsruhe             fax: +49-721-96201-99

More information about the NANOG mailing list