On Wed, Feb 26, 2014 at 01:32:09PM -0500, Charles Marcus wrote: > Well, I sent them the two responses I got here (from rob0 and > Victor), and, in addition to what I think is the real reason, > here is what they came back with: > > >domains are more likely to go down do to poor DNSSEC > >administration than any domain will be down due to cache > >poisoning or the other hacks that DNSSEC is designed to prevent.
I hate to admit it, but this is true. :) BIND 9.8 and 9.9 have nice "maintain" features which prevent the poor administration problems. But with 9.7 and earlier people were using semi-manual signing. Upgrade to a supported BIND version and you will have no problem; if you don't mind leaving your keys on the master server, that is. > >Have you actually heard of DNSSEC successfully stopping a hack > >yet? You probably haven not because it hasn't. It's also mostly true that serving bogus DNS data is not a common attack, NXDOMAIN hijacking being the exception. So anyway, you can counter that, "Yes, DNSSEC detects NXDOMAIN hijacking." > >Have you heard of DNSSEC causing downtime for domains? I am sure > >you have... because it happens often. As with anything, if you know what you're doing, it does not. I might also add that the terminology used, "downtime for domains" et c., is indicative of a non-professional. For what that's worth. > >This is way most of the largest domains do not support DNSSEC, > >nor will they. Funny if that is true, because the big guys are the most likely targets for DNS spoofing or hijacking attacks. > <sigh> > > Oh well, not an immediate problem, and their normal DNS service > is excellent (and really cheap - $29/yr for up to 10 domains)... I do still believe that DNSSEC adoption will increase, and with it the demand for clueful and capable DNS providers will rise. But I have to admit that these threads have shown a glimpse into other worlds. :) For me, when the root zone was signed, DNSSEC was something I had to do. I found that my Zoneedit nameservers didn't support it, so I removed them and went for self-hosting. It never occurred to me that "no DNSSEC" was an option. :) -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
