Re: US government mandates? use of DNSSEC by federal agencies

[Michael Thomas <mike () mtcc com>]

David Conrad wrote:
> On Aug 27, 2008, at 11:03 AM, Michael Thomas wrote:
> In any case, the point of my first question was really about the
> > concern of false positives. Do we really have any idea what will
> > happen if you hard fail dnssec failures?
>
> As far as I'm aware, there is no 'soft fail' for DNSSEC failures.  In 
> the caching servers I'm familiar with, if a name fails to validate, it 
> used to be that it doesn't get cached and SERVFAIL is returned.  Maybe 
> that's been fixed?

Sure, but my point is that if DNSsec all of a sudden has some relevance
which is not the case today, any false positives are going to come into
pretty stark relief. As in, .gov could quite possibly setting themselves
up for self-inflicted denial of service given buginess in the signers,
the verifiers or both.

Given how integral DNS is to everything, it seems a little scary to just
trust that all of that software across many, many vendors is going to
interoperate at *scale*. It seems that some training wheels like an
accept-failure-but-log mode with feedback like "your domain failed"
to the domain's admins might be safer. At least for a while, as
this new treadmill's operational care and feeding is established.


                Mike