[dnssec-deployment] dot MUSEUM implemented DNSSEC
Otmar Lendl
ol at bofh.priv.at
Mon Sep 22 11:13:24 EDT 2008
Paul Wouters wrote:
> On Mon, 22 Sep 2008, Olaf Kolkman wrote:
>>
>> If you do a delegation wrong you create some lameness, and the DNS can
>> cope with that. If you do the DS wrong then you immediately impact the
>> secure zones.
>>
>> With plain old DNS you need to shoot at least twice to shoot yourself
>> in the feet. With DNSSEC you only need one shot to do serious damage.
>
> That's all relative. I only have to put one wrong IP in the master zone
> to do serious damage too. Or one misisng semi-colon in named.conf.
I'm not so much worried about the ease with which you can shoot a zone
in a DNSSEC environment. What bothers me more is the potential time to
repair.
The proverbial missing semi-colon is easily fixed. But what about a botched
key rollover?
/ol
--
-=- Otmar Lendl -- ol at bofh.priv.at -=-
More information about the Dnssec-deployment
mailing list