Re: [DNSOP] A different question (was Re: Kaminsky on djbdns bugs (fwd))

Fri, 15 Aug 2008 16:42:52 -0700 

At 4:07 PM -0700 8/15/08, David Conrad wrote:

Paul,

On Aug 15, 2008, at 1:51 PM, Paul Hoffman wrote:
If what you really, really mean to ask is "given the fact that caching servers only care about DNSSEC if they're explicitly configured to do so, does anyone anticipate any stability/security concerns to those folks who _don't_ configure DNSSEC if the root is signed?", then I would say no, I don't see any.
OK, thanks. I suspect this question will be coming from on high at some point...
As to your question above: people who _haven't_ configured DNSSEC _will_ configure DNSSEC after the root is signed due to lots of press and the general feeling that more security layers are good. If we don't give those people the right tools to properly configure and properly maintain those configurations, there will be stability issues, as I listed earlier.
This reads a bit to me like "build it and they will come and hit themselves upside their heads with bats, so don't build it until we've figured out how to keep people from hurting themselves." 

s/keep people/keep most people/  Yes.
If someone configures DNSSEC in their caching server and then forgets their care and feeding duties, they will at some point discover that their DNS lookups aren't working so well and they'll either undertake their care and feeding duties with a bit more diligence (and/or upgrade to newer technology that handles care and feeding duties with minimal manual intervention) or they'll turn off DNSSEC.
The above assumes that all the DNSSEC-capable resolvers have error messages for "the trust anchor for .tld has gone bad and here is what you can do about it" that are as easy to understand as "the trust anchor for .tld has gone bad and here is what you can do about it". That seems pretty unlikely from recent history. Even the "you might want to turn off DNSSEC until you understand what is happening" is a bit of a stretch with current resolver software.
So, in the worst case, they'll get bitten and revert back to the same level of security (or lack thereof) they have today. 

Fully agree.


Is this worth blocking DNSSEC deployment?
Nope, but that is not what you asked. You asked for "any stability/security concerns", not blocking concerns. 

--Paul Hoffman, Director
--VPN Consortium
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to