[Dnssec-deployment] RRSIG for arpa expired

Michael Graff mgraff at isc.org
Mon Jun 7 14:15:12 EDT 2010 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 2010-06-07 1:03 PM, Andrew Sullivan wrote:
> On Mon, Jun 07, 2010 at 04:14:17PM +0000, Paul Vixie wrote:
>> i think that right now dnssec is somewhat new and that we can still safely
>> fall back to "no validation" when folks make mistakes. 
> 
> To play Devil's Advocate here (since I haven't actually made up my
> mind for real), that sounds to me very much like the arguments that
> used to be used in favour of having plain http and https versions of
> sites that really needed security; or for encouraging people to say
> "ok" when they encountered an unvalidatable SSL certificate (because
> the CA list was changing too quickly for the software update cycle).
> Many years later, we're living with the fallout of those decisions.

I think this very different in most ways.  The most basic is that DNSSEC
is a different flavor of security.  It's not intended to keep your bank
records private, but to ensure that you are getting the IP addresses for
your bank.  Different, but related.

While it is a good idea to try hard to do security, I've heard people
wanting a resolver option to ignore errors:  log them, but respond as if
we were not failing.  This is wanted because the people who will have to
field the phone calls from broken DNSSEC are not in any way the same
people who will have to field the calls for a broken web server.

If a user gets back a different message for a DNS failure vs a TCP
connect failure (and I'm pretty certain they do) they are more likely to
call their ISP, not the web site people.  The ISP has to pay the cost
for the publisher breaking things, and they have only two options:  try
to tell everyone calling in that it's not their fault, that the remote
site is broken, or work around it.  My guess is the latter is the option.

What they are asking for, in effect, is opportunistic DNSSEC, much in
the same way people are doing opportunistic SMTP encryption.  Does it
add security?  Perhaps, perhaps not, but it lets them get their feet wet
before diving in and hoping not to drown.

It doesn't have to stay this way, but I think today, with the current
tools, this is a reasonable request.

- --Michael
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkwNNzAACgkQ+NNi0s9NRJ1e9gCfYu6yPWThSUuiMfg0IIfmsbLS
aKMAn3KZBDyy4xFliulz1/E6Uhd9UQeO
=9V9L
-----END PGP SIGNATURE-----

More information about the Dnssec-deployment mailing list