On 9/30/21 4:30 PM, Viktor Dukhovni wrote:
On 30 Sep 2021, at 7:14 pm, Paul Ebersman <[email protected]>
wrote:
Which is actually impeding DNSSEC for domains where outages of DNS
instantly cause revenue issues. Knowing you're off the air in a
significant part of the world means a good deal of the alexa 1000 still
won't sign their "money" domains.
And yet progress is being made even among these, and many of the
arguments against are increasingly stale. Of the top 1k domains
in a recent Tranco snapshot, 88 are signed. Yeah, NTAs are sometimes
deployed, but sometimes also linger past their use-by, and should be
avoided as much as possible, and as it becomes increasingly difficult
to convince everyone to install an NTA the pressure will also be felt
at the right place.
[snip]
I think part of the issue in this discussion is that the Slack failure
does not appear to be a failure to understand or correctly execute
DNSSEC. It's a failure to understand DNS, and particularly DNS caching.
DNSVIZ shows a correctly-signed and valid domain at the time that the
DS+DNSKEY+RRSIG records were unceremoniously yanked. So they *were*
doing DNSSEC right, but they decided to make a change, for whatever
reason, and didn't understand the effects of caching in the global system.
A similar shot-to-the-foot could have been accomplished by changing the
NS records to point to entirely new providers/hosts and immediately
shutting down the old NSes.
Yes, DNSSEC really does require a good understanding of caching and
TTLs, but there are other aspects of DNS that require such an
understanding. And I honestly hope I am seriously wrong here, but it
seems like that understanding of one of the fundamentals of DNS was
lacking here.
michael
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
