Hi Philip,

On 2 May 2024, at 10:38, Philip Homburg <pch-dnso...@u-1.phicoh.com> wrote:

> Let's say I sign my zones using some scripts and ldns-signzone. This
> has been working for years so is now on autopilot.
> 
> Then an RFC gets published that signers MUST NOT support signing using SHA1,
> so ldns removes those algorithms. Then a software update brings the new
> version of ldns my system. Now an unsigned zone gets deployed, and the whole
> zone is considered bogus by validators who see valid DS record but not a
> corresponding signed zone.

DNSSEC is not a fire-and-forget system. It adds brittleness to the DNS because 
it introduces reasons for failure that were not previously there. It requires 
signatures to be updated, which means it requires changes that were not 
previosly required in order to keep things in a reasonable state.

What you describe above is not very different to my amateur-maintained mail 
server (that I keep begging my family members to stop using for important 
things) that routinely breaks because I've blindly upgraded a package and 
become distracted before checking that everything still works. In those kinds 
of situations it often breaks, and it should break, because it's not 
responsible to run an poorly-maintained mail server on the Internet.

I am one of many people who have volunteered their time in capacity-building 
projects in developing regions of the Internet over the past couple of decades. 
When those projects have included DNSSEC, I try to drill into people that 
DNSSEC is not just a checkbox or a sign of competence; it's an ongoing 
responsibility, and if you don't have the resources or inclination to look 
after it carefully after you have deployed it, the result will be failure and 
instability.

DNSSEC is like a cat. It requires care and feeding. You should not buy one for 
Christmas and ignore it.

Generally, I do not think it's a problem that unmaintained DNSSEC 
infrastructure might lead to failures because of changes to the protocol. I 
think it's a feature.


Joe
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to