On 15 aug 2008, at 22.01, David Conrad wrote:
Let me try to (hopefully) more clearly articulate my question: given
the fact that caching servers only care about DNSSEC if they're
explicitly configured to do so, does anyone anticipate any stability/
security concerns to those folks who _haven't_ configured DNSSEC if
the root is signed?
Good question David, thanks for asking it.
My view is that the answer is NO.
Yes, just because the root is signed, we will see an uptake in the
number of resolvers choosing to verify DNSSEC signed responses.
Yes, people will shoot themselves in the foot by forgetting the trust
anchors, but as you have pointed out, they will discover this pretty
quickly and then either go back to where they are today (turn off
DNSSEC verification), or update the trust anchor.
I am though of the view that we many times in the Internet
Architecture have created tools that give the ability to people to
shoot themselves in their foot. Sometimes both at the same time!
But, as DNSSEC is an opt-in technology, people really have to first do
a active opt-in action before they find their feet hurt. People can
with a signed root choose themselves whether they want to participate
or not.
I am today much more worried about doing "too much" signing of leaf
nodes of the DNS tree before we can start do the signing of nodes from
root and down the tree. Regardless of how well TAR's will work, I
claim the ability to damage ones feet increase with the number of
signed zones before the root is signed. But don't ask me at what
number of TLDs (say) we pass the line of "too many".
Patrik
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
