Paul, On Aug 15, 2008, at 1:51 PM, Paul Hoffman wrote:
If what you really, really mean to ask is "given the fact that caching servers only care about DNSSEC if they're explicitly configured to do so, does anyone anticipate any stability/security concerns to those folks who _don't_ configure DNSSEC if the root is signed?", then I would say no, I don't see any.
OK, thanks. I suspect this question will be coming from on high at some point...
As to your question above: people who _haven't_ configured DNSSEC _will_ configure DNSSEC after the root is signed due to lots of press and the general feeling that more security layers are good. If we don't give those people the right tools to properly configure and properly maintain those configurations, there will be stability issues, as I listed earlier.
This reads a bit to me like "build it and they will come and hit themselves upside their heads with bats, so don't build it until we've figured out how to keep people from hurting themselves."
If someone configures DNSSEC in their caching server and then forgets their care and feeding duties, they will at some point discover that their DNS lookups aren't working so well and they'll either undertake their care and feeding duties with a bit more diligence (and/or upgrade to newer technology that handles care and feeding duties with minimal manual intervention) or they'll turn off DNSSEC. So, in the worst case, they'll get bitten and revert back to the same level of security (or lack thereof) they have today.
Is this worth blocking DNSSEC deployment? Regards, -drc _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
