[Dnssec-deployment] How much is DNSSEC deployed?
ol at bofh.priv.at
Mon Apr 25 05:25:37 EDT 2011
On 25.04.2011 10:12, Patrik Fältström wrote:
> Yes, it is a pain to start with, but that was also one of the arguments
> to start early in Sweden. If we start early before many domains are
> signed, you incrementally can improve quality of DNS hosting.
Now that the root is signed and people move to the root key as anchor,
there is a serious hole in that argument.
We ran into the same problem with ENUM and e164.arpa: Some countries were
running trials unter e164.arpa while other countries were fully operational
with their ENUM tree.
This had the effect that a certain southern European country didn't care
that their ENUM tree was completely lame, causing calls from ENUM-enabled
telcos in Austria to run into timeouts.
DNS is global. There is no way any more that you can enable features on a
trial basis, assuming that no one else isn't fully relying on that feature
be either OFF or fully ON @ production quality.
Regarding DNSSEC: Now that the trust anchor is the root itself, there can
be no more "checking the water"-style deployments. The old "if I mess up my
DNSSEC-enabled zone, only a few will notice" - truism doesn't hold any
more. Perhaps in your country, but not globally.
The reverse is true, too: If I turn on validation here in Austria, knowing
that .at isn't signed yet, I might think that I'm safe and will not run
into DNSSEC-related troubles for the domains that are important to my local
customers. Nope. Someone, somewhere, will mess up.
Summary: The time for DNSSEC-trials in the live DNS is _over_.
> I.e. the problem is not by far as much the key management etc as lame
> delegations and million other things that we already know about that are
> not really visible before you sign a domain.
> DNSSEC forces people to run DNS better than before.
Yes. And how many of those will learn that the hard way? And how much
collateral damage will they do learning it?
>> So, I think Patrik's question is very relevant - how much is DNSSEC
>> actually deployed, but I'd like to add: what are the access providers
>> thinking & planning?
> Once again, all large access providers (except one) in Sweden do
> validate all DNS responses.
They will have fun when the whole world goes through the same learning
process that Sweden went through all over again.
-=- Otmar Lendl -- ol at bofh.priv.at -- http://lendl.priv.at/ -=-
More information about the Dnssec-deployment