[dnssec-deployment] Fwd: [IP] Good Always Comes Out of Bad

[Peter Koch]

On Mon, Jun 30, 2008 at 02:08:03PM +1000, Mark Andrews wrote:

> True, but only in exceptional circumstances.  Under normal operating
> procedures you have control of both new and old servers.  Failure
> to have such control should trigger red flag and extra vetting of
> requested changes.

that's not how this kind of change looks like from my, admittedly constrained,
perspective in the presence of mass-webhosting and provider changes. Many
people have little to no direct control over the zone content, let alone
would they be able to edit the NS RRSet or make the old server(s) slave(s)
of the new one(s).
The case was likely different for the couple of domains that initiated
this thread, but what you call the exception might well be the rule --
number wise.

While the problem of "domain napping" might be real and is often easier
associated with "DNS Security" than the response forgery addressed by DNSSEC,
we should resist the temptation to make promises that DNSSEC just can't hold.

-Peter