[dnssec-deployment] dot MUSEUM implemented DNSSEC

Otmar Lendl ol at bofh.priv.at
Mon Sep 22 11:13:24 EDT 2008


Paul Wouters wrote:
> On Mon, 22 Sep 2008, Olaf Kolkman wrote:
>>
>> If you do a delegation wrong you create some lameness, and the DNS can
>> cope with that. If you do the DS wrong then you immediately impact the
>> secure zones.
>>
>> With plain old DNS you need to shoot at least twice to shoot yourself
>> in the feet. With DNSSEC you only need one shot to do serious damage.
> 
> That's all relative. I only have to put one wrong IP in the master zone
> to do serious damage too. Or one misisng semi-colon in named.conf.

I'm not so much worried about the ease with which you can shoot a zone
in a DNSSEC environment. What bothers me more is the potential time to
repair.

The proverbial missing semi-colon is easily fixed. But what about a botched
key rollover?

/ol
-- 
-=-  Otmar Lendl  --  ol at bofh.priv.at  -=-



More information about the Dnssec-deployment mailing list