On 02-Aug-22 13:51, Brown, William wrote:
my guess is that they see dnssec as fragile, have not seen _costly_ dns subversion, and measure a dns outages in thousands of dollars a minute.No one wants to be this guy: http://www.dnssec.comcast.net/DNSSEC_Validation_Failure_NASAGOV_201201 18_FINAL.pdfso, to me, a crucial question is whether dnssec ccould be made to fail more softly and/or with a smaller blast radius? randyI'm more of a mail guy than DNS, so yes, like hard v. soft fail in SPF. Or perhaps some way of the client side deciding how to handle hard v./ soft failure.
As Mark has pointed out, validation is a client issue. Setting up DNSSEC properly and keeping it running is for the server admin - which bind is incrementally automating.
For bind, the work-around for bad servers (which is mentioned in the article) is to setup negative trust anchors in the client for zones that fail. And notify the zone administrator to fix the problem. I usually point them to a DNSVIZ report on their zone.
The nasa.gov failure was avoidable. nasawatch, which is an excellent resource for space news, jumped to an incorrect conclusion about the outage - and never got the story straight. In fact, all validating resolvers (including mine) correctly rejected the signatures. It wasn't comcast's fault - they were a victim.
It is an unfortunate reality that admins will make mistakes. And that there is no way to get all resolvers to fix them - you can't even find all the resolvers. (Consider systemd-resolved, or simply finding all the recursive bind, powerdns, etc instances...)
There is no global "soft" option - aside from unsigning the zone and waiting for the TTLs to expire. And besides being a really bad idea, it's easier to fix the immediate problem and learn not to repeat it.
Long term, automation of the (re-)signing and key roll-overs will reduce the likelihood of these outages. It is truly unfortunate that it's so late in coming.
It may take a flag day to get major resolver operators, dns servers, and client resolvers all on the same page. I'm not holding my breath.
Timothe Litt ACM Distinguished Engineer -------------------------- This communication may not represent the ACM or my employer's views, if any, on the matters discussed.
OpenPGP_signature
Description: OpenPGP digital signature
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
