[dnssec-deployment] DNSSEC deployment hurdles
marka at isc.org
Sun Aug 30 20:35:19 EDT 2009
In message <list-17985891 at execdsl.com>, Daniel Kalchev writes:
> We have decided to use larger key sizes for .BG especially with the idea
> that some improper setups will fail and we want them to fail badly!
Which will only break validators behind paths which don't allow TCP.
> As it was mentioned already, there is no other way to implement a
> technology that imposes strict checks but put away the band practices.
> "unfortunately" implementations that use side effects of the protocol
> behaviors for their operation will fail miserably -- but those deserve
> to fail miserably in the first place!
> If not counting the numerous analyzing tools, that operate on "what if"
> that give some kinds of alarms, we have not yet had a single complaint
> on using larger key sizes and thus larger packet sizes.
And it is unlikely to. Those that turn on DNSSEC validation these
days are the ones that are likely to work out what the problem is
and also realise that they have broken equipement so they won't
complain to you. The may complain to their equipment vendor but
not to you as you have done nothing wrong.
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the Dnssec-deployment