Educause Security Discussion mailing list archives
Re: DNSSEC Deployment
From: John Kristoff <jtk () CYMRU COM>
Date: Mon, 17 May 2010 15:55:57 -0500
On Mon, 17 May 2010 15:34:16 -0500 John Ladwig <John.Ladwig () CSU MNSCU EDU> wrote:
Not to pile on, exactly, but since the issue's on the table, can anyone explain to me what the UI looks like on DNSSEC failures, on, say, Windows 7 and IE? For that matter, any OS.
That is such a good question. Its something we are going to have to consider very carefully before being able to put this in the secure BIND template. Thanks for bringing it up. Perhaps as important as asking what the system will do, is what will the user do? For some insight, what do they do when presented an SSH login with the message indicating the server's key has changed? I believe the technical answer regarding the system is that it depends on the end system's capabilities (whether its a validating or at least "security aware" stub resolver) and whether the application is designed to interpret the failure scenario. I believe if its there is no support in the end host it'll look like there was no answer returned (e.g. site not found). Otherwise it'll present some sort of "bad validation" error. John
Current thread:
- DNSSEC Deployment Jason Frisvold (May 17)
- <Possible follow-ups>
- Re: DNSSEC Deployment Joe St Sauver (May 17)
- Re: DNSSEC Deployment Michael Sinatra (May 17)
- Re: DNSSEC Deployment John Kristoff (May 17)
- Re: DNSSEC Deployment Jason Frisvold (May 17)
- Re: DNSSEC Deployment John Ladwig (May 17)
- Re: DNSSEC Deployment Joe St Sauver (May 17)
- Re: DNSSEC Deployment Michael Sinatra (May 17)
- Re: DNSSEC Deployment Joe St Sauver (May 17)
- Re: DNSSEC Deployment Michael Sinatra (May 17)
- Re: DNSSEC Deployment John Kristoff (May 17)
- Re: DNSSEC Deployment Jason Frisvold (May 17)
- Re: DNSSEC Deployment Jason Frisvold (May 17)
- Re: DNSSEC Deployment Bruce Curtis (May 17)
- Re: DNSSEC Deployment John Kristoff (May 17)
- Re: DNSSEC Deployment Michael Sinatra (May 17)
- Re: DNSSEC Deployment John Ladwig (May 17)
- Re: DNSSEC Deployment Michael Sinatra (May 17)