[Dnssec-deployment] RRSIG for arpa expired

Andrew Sullivan ajs at shinkuro.com
Mon Jun 7 14:03:31 EDT 2010


On Mon, Jun 07, 2010 at 04:14:17PM +0000, Paul Vixie wrote:
> i think that right now dnssec is somewhat new and that we can still safely
> fall back to "no validation" when folks make mistakes. 

To play Devil's Advocate here (since I haven't actually made up my
mind for real), that sounds to me very much like the arguments that
used to be used in favour of having plain http and https versions of
sites that really needed security; or for encouraging people to say
"ok" when they encountered an unvalidatable SSL certificate (because
the CA list was changing too quickly for the software update cycle).
Many years later, we're living with the fallout of those decisions.

On such grounds, one could construct a reasonable argument that there
will _always_ be an argument for falling back, because people are
likely to screw things up even if the tools get better.  If you buy
this line of thought, then, you might want to argue that this is our
opportunity to get security deployment right and to fix the mistakes
people made with https.  It suggests that DURZ-style ("DUZ"?) rollouts
ought to be the norm, not the exception, and that lots of operational
evidence needs to be in hand before you allow people to start thinking
they should validate your responses.  (Of course, how precisely to get
such experience is sort of a mystery to me.)


A

-- 
Andrew Sullivan
ajs at shinkuro.com
Shinkuro, Inc.


More information about the Dnssec-deployment mailing list