Hi Philip, On 2 May 2024, at 10:38, Philip Homburg <pch-dnso...@u-1.phicoh.com> wrote:
> Let's say I sign my zones using some scripts and ldns-signzone. This > has been working for years so is now on autopilot. > > Then an RFC gets published that signers MUST NOT support signing using SHA1, > so ldns removes those algorithms. Then a software update brings the new > version of ldns my system. Now an unsigned zone gets deployed, and the whole > zone is considered bogus by validators who see valid DS record but not a > corresponding signed zone. DNSSEC is not a fire-and-forget system. It adds brittleness to the DNS because it introduces reasons for failure that were not previously there. It requires signatures to be updated, which means it requires changes that were not previosly required in order to keep things in a reasonable state. What you describe above is not very different to my amateur-maintained mail server (that I keep begging my family members to stop using for important things) that routinely breaks because I've blindly upgraded a package and become distracted before checking that everything still works. In those kinds of situations it often breaks, and it should break, because it's not responsible to run an poorly-maintained mail server on the Internet. I am one of many people who have volunteered their time in capacity-building projects in developing regions of the Internet over the past couple of decades. When those projects have included DNSSEC, I try to drill into people that DNSSEC is not just a checkbox or a sign of competence; it's an ongoing responsibility, and if you don't have the resources or inclination to look after it carefully after you have deployed it, the result will be failure and instability. DNSSEC is like a cat. It requires care and feeding. You should not buy one for Christmas and ignore it. Generally, I do not think it's a problem that unmaintained DNSSEC infrastructure might lead to failures because of changes to the protocol. I think it's a feature. Joe _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop