On Thu, Jun 20, 2013 at 8:41 PM, Timothy Morizot <tmori...@gmail.com> wrote:
> On Jun 20, 2013 5:31 PM, "Randy Bush" <ra...@psg.com> wrote: > > and dnssec did not save us. is there anything which could have? > > Hmmm. DNSSEC wouldn't have prevented an outage. But from everything I've > seen reported, had the zones been signed, validating recursive resolvers > (comcast, google, much of federal government, mine) would have returned > servfail and would not have cached the bad nameservers in their good cache. > > Users would have simply failed to connect instead of being sent to the > wrong page and recovery would have been quicker and easier. From my > perspective as someone responsible for DNS at a fairly large enterprise, > that would have been preferable. > > But then, the zones for which I'm responsible are signed. > In this case of registrar compromise, DS record could have been changed alongside NS records, so DNSSEC would only have been a early warning, because uncoordinated DS change disrupts service. As soon as previous timeouts played out, new DS/NS pairs would be considered as trustworthy as the old ones. Rubens
