[dnssec-deployment] DNSSEC deployment hurdles

[Howard Eland]

When we found these OARC numbers in June / July for .ORG, we were  
naturally pretty disturbed, and did quite a bit of manual packet  
inspections to see what was going on.  I was originally quite  
concerned about the number of resolvers that would melt-down by  
mishandling the frags, but, in reality, we've not heard any  
complaints, so I have to agree with Patrik here.

I _am_ concerned for those deploying DNSSEC with a very large query  
volume.  We've tried to message this very carefully, saying "this is  
what we've seen for ORG, so you may want to watch for this when  
deploying", and _not_ "the sky is falling".

We're working on another set of data to send up to OARC, to see if  
things have settled down since the recent BIND security alert went out  
(although I'm not sure how many people upgraded their legacy system  
because of that alert).

All in all, I'd like to see PowerDNS be DNSSEC-enabled.  As mentioned,  
deployments such as this are hard, and have corner cases, etc.  I  
believe the rewards outweigh the risks.

-Howard Eland
Afilias

On Aug 28, 2009, at 5:16 AM, Patrik Fältström wrote:

>
> On 28 aug 2009, at 11.59, bert hubert wrote:
>
>> I find it worrying that these numbers (which are well known to the
>> DNSSEC community), combined with the OARC results, are not seeing
>> wider discussion here (or anywhere public).
>
> One of the reasons I think is that for example in Sweden we do not  
> see any such problems with fragmentation. Possibly because the  
> responses are not that large, or that the situation is not as bad as  
> the netalyzr data says.
>
> I do not know.
>
> But, if we had problems with 14% of the dnssec signed responses for  
> signed zones, then that would be known.
>
>   paf
>