[Dnssec-deployment] How much is DNSSEC deployed?
Otmar Lendl
ol at bofh.priv.at
Mon Apr 25 05:25:37 EDT 2011
On 25.04.2011 10:12, Patrik Fältström wrote:
>
> Yes, it is a pain to start with, but that was also one of the arguments
> to start early in Sweden. If we start early before many domains are
> signed, you incrementally can improve quality of DNS hosting.
Now that the root is signed and people move to the root key as anchor,
there is a serious hole in that argument.
We ran into the same problem with ENUM and e164.arpa: Some countries were
running trials unter e164.arpa while other countries were fully operational
with their ENUM tree.
This had the effect that a certain southern European country didn't care
that their ENUM tree was completely lame, causing calls from ENUM-enabled
telcos in Austria to run into timeouts.
DNS is global. There is no way any more that you can enable features on a
trial basis, assuming that no one else isn't fully relying on that feature
be either OFF or fully ON @ production quality.
Regarding DNSSEC: Now that the trust anchor is the root itself, there can
be no more "checking the water"-style deployments. The old "if I mess up my
DNSSEC-enabled zone, only a few will notice" - truism doesn't hold any
more. Perhaps in your country, but not globally.
The reverse is true, too: If I turn on validation here in Austria, knowing
that .at isn't signed yet, I might think that I'm safe and will not run
into DNSSEC-related troubles for the domains that are important to my local
customers. Nope. Someone, somewhere, will mess up.
------
Summary: The time for DNSSEC-trials in the live DNS is _over_.
>
> I.e. the problem is not by far as much the key management etc as lame
> delegations and million other things that we already know about that are
> not really visible before you sign a domain.
>
> DNSSEC forces people to run DNS better than before.
>
Yes. And how many of those will learn that the hard way? And how much
collateral damage will they do learning it?
>> So, I think Patrik's question is very relevant - how much is DNSSEC
>> actually deployed, but I'd like to add: what are the access providers
>> thinking & planning?
>
> Once again, all large access providers (except one) in Sweden do
> validate all DNS responses.
They will have fun when the whole world goes through the same learning
process that Sweden went through all over again.
otmar
--
-=- Otmar Lendl -- ol at bofh.priv.at -- http://lendl.priv.at/ -=-
More information about the Dnssec-deployment
mailing list