[dnssec-deployment] Fwd: [IP] Good Always Comes Out of Bad
pk at DENIC.DE
Mon Jun 30 08:15:18 EDT 2008
On Mon, Jun 30, 2008 at 02:08:03PM +1000, Mark Andrews wrote:
> True, but only in exceptional circumstances. Under normal operating
> procedures you have control of both new and old servers. Failure
> to have such control should trigger red flag and extra vetting of
> requested changes.
that's not how this kind of change looks like from my, admittedly constrained,
perspective in the presence of mass-webhosting and provider changes. Many
people have little to no direct control over the zone content, let alone
would they be able to edit the NS RRSet or make the old server(s) slave(s)
of the new one(s).
The case was likely different for the couple of domains that initiated
this thread, but what you call the exception might well be the rule --
While the problem of "domain napping" might be real and is often easier
associated with "DNS Security" than the response forgery addressed by DNSSEC,
we should resist the temptation to make promises that DNSSEC just can't hold.
More information about the Dnssec-deployment