[dnssec-deployment] some observations about .SE's DNSSEC

Patrik Fältström paf at cisco.com
Tue Sep 25 18:52:52 EDT 2007 

Another thing btw, that I saw the other week when I was forced to do  
an emergency key rollover... Yes, I knew this, but experiencing it is  
something different.

I had to change the KSK asap. The problem of course was that the TTL  
of the existing KSK and DS in parent zone was longer that what I  
wanted (in this case the DS).

This in turn lead to the conclusion that (unfortunately) the design  
of DNSSEC via the DS give no redundancy part from pre-publishing the  
"next KSK". Redundancy we for example have with multiple NS records.

I.e. DNSSEC and the DS give in many cases one and only one link to  
the child, and if that breaks, well, it is broken.

    Patrik

On 26 sep 2007, at 00.45, richard.lamb wrote:

> Yep.  I saw this when I started my work here after putting  
> validating DNSSEC
> resolvers all over the place, usually behind cheap BB routers in  
> peoples
> homes.  Being in business taught me that the customer is always  
> right, so I
> wanted to see what the customer saw - not what a guy with a T1 into  
> their
> house saw. Almost always failed.  I sent a note to Andrews about  
> this but I
> think its correct behavior on BIND's part.  Between now and when  
> DNSSEC
> makes it into Windows should be enough time for router vendors (saw  
> it on
> mostly on DSL/Westel combo) clean up their act.
>
> I remember a sequence something like:
> Request big bunch of DNSKEYS (udp) ->
>  X(lost) <- Big udp packet
> ...timeout
> Request big bunch of DNSKEYS (udp) ->
>   <- 512 byte truncated packet (udp)
> ...truncated..fail
> Then sometimes...
> Request big bunch of DNSKEYS (TCP) ->
>   <- Big TCP packet
> Request more information to complete validation ->
> ..works
>
>
> -----Original Message-----
> From: DNSSEC deployment [mailto:dnssec-deployment at shinkuro.com] On  
> Behalf Of
> Paul Vixie
> Sent: Tuesday, September 25, 2007 3:02 PM
> To: DNSSEC deployment
> Cc: Jakob Schlyter
> Subject: [dnssec-deployment] some observations about .SE's DNSSEC
>
> jakob has given me permission to share this information with you,  
> and would
> welcome any questions or discussion we might have:
>
> --------
>
> From: Jakob Schlyter <jakob at rfc.se>
> Subject: Re: AD set unrequested
> Date: Tue, 25 Sep 2007 17:28:26 +0200
> To: xxx
>
> on more thing...
>
> as you may have noted, DNSSEC in .SE is in full production at  
> least  two
> large ISP:s in Sweden are doing DNSSEC validation in their  production
> systems.  it was recently discovered that none of their  customers  
> (with
> crappy broadband routers, e.g. Netgear) can reach  signed domains.  
> ouch.
>
> 	jakob
>
> --------
>
> #############################################################
> This message is sent to you because you are subscribed to
>   the mailing list <dnssec-deployment at shinkuro.com>.
> To unsubscribe, E-mail to: <dnssec-deployment-off at shinkuro.com>
> A public archive is available here:
> <http://mail.shinkuro.com:8100/Lists/dnssec-deployment/>
> and older material is at
> <http://mail.shinkuro.com:8100/Lists/dnssec-deployment-archive/>
>
>
> #############################################################
> This message is sent to you because you are subscribed to
>   the mailing list <dnssec-deployment at shinkuro.com>.
> To unsubscribe, E-mail to: <dnssec-deployment-off at shinkuro.com>
> A public archive is available here: <http://mail.shinkuro.com:8100/ 
> Lists/dnssec-deployment/>
> and older material is at
> <http://mail.shinkuro.com:8100/Lists/dnssec-deployment-archive/>

More information about the Dnssec-deployment mailing list