Re: DNSSEC Deployment

[John Kristoff <jtk () CYMRU COM>]

On Mon, 17 May 2010 15:34:16 -0500
John Ladwig <John.Ladwig () CSU MNSCU EDU> wrote:

> Not to pile on, exactly, but since the issue's on the table, can
> anyone explain to me what the UI looks like on DNSSEC failures, on,
> say, Windows 7 and IE?  For that matter, any OS.

That is such a good question.  Its something we are going to have to
consider very carefully before being able to put this in the secure BIND
template.  Thanks for bringing it up.

Perhaps as important as asking what the system will do, is what will
the user do?   For some insight, what do they do when presented an SSH
login with the message indicating the server's key has changed?

I believe the technical answer regarding the system is that it depends
on the end system's capabilities (whether its a validating or at least
"security aware" stub resolver) and whether the application is designed
to interpret the failure scenario.  I believe if its there is no
support in the end host it'll look like there was no answer returned
(e.g. site not found).  Otherwise it'll present some sort of "bad
validation" error.

John