On May 10, 2012, at 11:20 AM, Daniel Ryšlink wrote:

> 
> On 05/10/2012 04:33 PM, Barry Margolin wrote:
>> In article<mailman.748.1336659466.63724.bind-us...@lists.isc.org>,
>>  Tony Finch<d...@dotat.at>  wrote:
>> 
>>> Barry Margolin<bar...@alum.mit.edu>  wrote:
>>>> [Validation is] only untroublesome until someone screws things up on
>>>> their auth server.  When one of your users can't access something.gov,
>>>> they'll complain to YOU, even though it's mostly out of your hands.
>>>> 
>>>> This is true for other problems on auth servers as well, of course.  But
>>>> DNSSEC is new enough that there tend to be more failures of this kind,
>>>> even by organizations that until now have seemed to know what they're
>>>> doing.
>>> Some of the early DNSSEC deployments (especially in .gov) did not use good
>>> tooling. That's much less of a problem now. See for instance the big
>>> DNSSEC deployments in Sweden, Czech, Brazil.
>>> 
>>> Even third party DNSSEC screwups have not caused us much trouble.
>> Every week or two someone complains in the Comcast Help Forum about
>> being unable to resolve some .gov address, and the usual cause is that
>> the domain operator messed up their DNSSEC.
>> 
>> But I agree that it's not as frequent as it was 6 months ago.  It also
>> helps that Comcast can now work around it by configuring exceptions to
>> DNSSEC checking.
>> 
> 
> What's the point of DNSSec when resolver administrators configure exceptions 
> on regular basis? If you can't be sure when your resolver does or does not 
> validate, why having signed zones in the first place? It's just seems to be 
> another "shared illusion of security" similar to PKI.

Nope -- Comcast does a large amount of checking before turning off validation 
for a failing domain. 
This is (IMO) more secure than the alternative, which is to simply leave it 
failing, and have users move to a non-validatiing resolver instead…

W


> _____________
> __________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> 

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to