[dnssec-deployment] DNSSEC deployment hurdles
heland at afilias.info
Fri Aug 28 10:32:15 EDT 2009
When we found these OARC numbers in June / July for .ORG, we were
naturally pretty disturbed, and did quite a bit of manual packet
inspections to see what was going on. I was originally quite
concerned about the number of resolvers that would melt-down by
mishandling the frags, but, in reality, we've not heard any
complaints, so I have to agree with Patrik here.
I _am_ concerned for those deploying DNSSEC with a very large query
volume. We've tried to message this very carefully, saying "this is
what we've seen for ORG, so you may want to watch for this when
deploying", and _not_ "the sky is falling".
We're working on another set of data to send up to OARC, to see if
things have settled down since the recent BIND security alert went out
(although I'm not sure how many people upgraded their legacy system
because of that alert).
All in all, I'd like to see PowerDNS be DNSSEC-enabled. As mentioned,
deployments such as this are hard, and have corner cases, etc. I
believe the rewards outweigh the risks.
On Aug 28, 2009, at 5:16 AM, Patrik Fältström wrote:
> On 28 aug 2009, at 11.59, bert hubert wrote:
>> I find it worrying that these numbers (which are well known to the
>> DNSSEC community), combined with the OARC results, are not seeing
>> wider discussion here (or anywhere public).
> One of the reasons I think is that for example in Sweden we do not
> see any such problems with fragmentation. Possibly because the
> responses are not that large, or that the situation is not as bad as
> the netalyzr data says.
> I do not know.
> But, if we had problems with 14% of the dnssec signed responses for
> signed zones, then that would be known.
More information about the Dnssec-deployment