nanog mailing list archives
Re: Anyone else seeing DNSSEC failures from EU Commission ? (european-union.europa.eu)
From: Ca By <cb.list6 () gmail com>
Date: Thu, 9 Dec 2021 06:36:27 -0800
On Thu, Dec 9, 2021 at 1:07 AM Arne Jensen <darkdevil () darkdevil dk> wrote:
Den 08-12-2021 kl. 15:32 skrev Niels Bakker:* darkdevil () darkdevil dk (Arne Jensen) [Wed 08 Dec 2021, 15:23 CET]:To me, that part of it also points towards a broken implementation at CloudFlare, letting a bogus (insecure) responses take effect anyway.Or they prefer allowing people to visit websites over punishing system administrators for operational failures that less secure (read: nonvalidating) ISPs wouldn't inflict on their customers.I find it hard to believe that CloudFlare would do such though, however, while such kind of things could indeed be the cause, I'm personally going towards "Rather safe, than sorry".It's been quite common for DNSSEC-enabled recursors to add overrides for outaged domains in situations like this.Unfortunately, yes, overrides are too common for many different things. Time for them (the overrides) to die completely.
Or accept that dnssec has always been dead since it never solved a problem, but created a lot of problems. Just saying, facts are on my side. Check the number of times dnssec caused an outage. Then check the number of hacks prevented by dnssec. Literally 0. Be sure to note the time Netnod got hacked because the perps… turned off dnssec… https://krebsonsecurity.com/2019/02/a-deep-dive-on-the-recent-widespread-dns-hijacking-attacks/ Look, i dont have anything personal against dnssec. Just as much as any droid, i love 1. 3rd rate crypto 2. Many enabled RCEs 3. Complex architectures , doubly complex operational procedure 4. Government managed CAs and then related procurement requirements But, the thing i dont like is the massive ddos it creates. Those huge records are really not acceptable into today’s dns environment. Please stop enabling dnssec on your domain folks, you are going to have outage, your security is worse off, and you feeding the vendor / hacker ddos death spiral
It looks like the error has been mitigated, by the way, so this manual override may not even have happened.+1. -- Med venlig hilsen / Kind regards, Arne Jensen
Current thread:
- Anyone else seeing DNSSEC failures from EU Commission ? (european-union.europa.eu) Laura Smith via NANOG (Dec 08)
- Re: Anyone else seeing DNSSEC failures from EU Commission ? (european-union.europa.eu) Marco Davids (Private) via NANOG (Dec 08)
- Re: Anyone else seeing DNSSEC failures from EU Commission ? (european-union.europa.eu) Arne Jensen (Dec 08)
- Re: Anyone else seeing DNSSEC failures from EU Commission ? (european-union.europa.eu) Niels Bakker (Dec 08)
- Re: Anyone else seeing DNSSEC failures from EU Commission ? (european-union.europa.eu) Ca By (Dec 08)
- Re: Anyone else seeing DNSSEC failures from EU Commission ? (european-union.europa.eu) Masataka Ohta (Dec 08)
- Re: Anyone else seeing DNSSEC failures from EU Commission ? (european-union.europa.eu) Arne Jensen (Dec 09)
- Re: Anyone else seeing DNSSEC failures from EU Commission ? (european-union.europa.eu) Ca By (Dec 09)
- Re: Anyone else seeing DNSSEC failures from EU Commission ? (european-union.europa.eu) Francis Booth via NANOG (Dec 09)
- RE: Anyone else seeing DNSSEC failures from EU Commission ? (european-union.europa.eu) Jean St-Laurent via NANOG (Dec 09)
- Re: Anyone else seeing DNSSEC failures from EU Commission ? (european-union.europa.eu) Ca By (Dec 09)
- RE: Anyone else seeing DNSSEC failures from EU Commission ? (european-union.europa.eu) Jean St-Laurent via NANOG (Dec 09)
- Re: Anyone else seeing DNSSEC failures from EU Commission ? (european-union.europa.eu) Arne Jensen (Dec 08)
- Re: Anyone else seeing DNSSEC failures from EU Commission ? (european-union.europa.eu) Marco Davids (Private) via NANOG (Dec 08)
- Re: Anyone else seeing DNSSEC failures from EU Commission ? (european-union.europa.eu) Nick Hilliard (Dec 09)
- Re: Anyone else seeing DNSSEC failures from EU Commission ? (european-union.europa.eu) Mark Andrews (Dec 09)
- Re: Anyone else seeing DNSSEC failures from EU Commission ? (european-union.europa.eu) Masataka Ohta (Dec 10)
- Re: Anyone else seeing DNSSEC failures from EU Commission ? (european-union.europa.eu) Masataka Ohta (Dec 08)
- Re: Anyone else seeing DNSSEC failures from EU Commission ? (european-union.europa.eu) Arne Jensen (Dec 09)
- Re: Anyone else seeing DNSSEC failures from EU Commission ? (european-union.europa.eu) Masataka Ohta (Dec 10)