nanog mailing list archives
Re: US government mandates? use of DNSSEC by federal agencies
From: Michael Thomas <mike () mtcc com>
Date: Wed, 27 Aug 2008 17:15:01 -0700
David Conrad wrote:
On Aug 27, 2008, at 11:03 AM, Michael Thomas wrote: In any case, the point of my first question was really about theconcern of false positives. Do we really have any idea what will happen if you hard fail dnssec failures?As far as I'm aware, there is no 'soft fail' for DNSSEC failures. In the caching servers I'm familiar with, if a name fails to validate, it used to be that it doesn't get cached and SERVFAIL is returned. Maybe that's been fixed?
Sure, but my point is that if DNSsec all of a sudden has some relevance which is not the case today, any false positives are going to come into pretty stark relief. As in, .gov could quite possibly setting themselves up for self-inflicted denial of service given buginess in the signers, the verifiers or both. Given how integral DNS is to everything, it seems a little scary to just trust that all of that software across many, many vendors is going to interoperate at *scale*. It seems that some training wheels like an accept-failure-but-log mode with feedback like "your domain failed" to the domain's admins might be safer. At least for a while, as this new treadmill's operational care and feeding is established. Mike
Current thread:
- Re: US government mandates? use of DNSSEC by federal agencies, (continued)
- Re: US government mandates? use of DNSSEC by federal agencies David Conrad (Aug 27)
- Re: US government mandates? use of DNSSEC by federal agencies Leo Bicknell (Aug 27)
- Re: US government mandates? use of DNSSEC by federal agencies Kevin Oberman (Aug 27)
- Re: US government mandates? use of DNSSEC by federal agencies Steven M. Bellovin (Aug 27)
- Re: US government mandates? use of DNSSEC by federal agencies Jeroen Massar (Aug 27)
- Re: US government mandates? use of DNSSEC by federal agencies Kevin Oberman (Aug 27)
- Re: US government mandates? use of DNSSEC by federal agencies Jeroen Massar (Aug 27)
- Re: US government mandates? use of DNSSEC by federal agencies David Conrad (Aug 27)
- Re: US government mandates? use of DNSSEC by federal agencies Michael Thomas (Aug 27)
- Re: US government mandates? use of DNSSEC by federal agencies David Conrad (Aug 27)
- Re: US government mandates? use of DNSSEC by federal agencies Michael Thomas (Aug 27)
- Re: US government mandates? use of DNSSEC by federal agencies David Conrad (Aug 27)
- Re: US government mandates? use of DNSSEC by federal agencies David Conrad (Aug 27)