Dave,
On Nov 27, 2008, at 10:03 AM, Dave CROCKER wrote:
If I understand the thread, so far, there is a current reality that
suffers from missing too many pieces of necessary DNSSec
infrastructure, documentation, maybe software, and definitely
training. Without all of these additional pieces, it's not
reasonable to expect any sort of casual use -- even for "testing".
No. DNSSEC is in production use today in various places. It's more
that no one would notice. The IETF NOC folks could trivially set up a
set of DNSSEC-validating caching name servers that would validate any/
all signed zones that are covered under the existing trust anchor(s).
The NOC folks could then configure DHCP/RA to hand out the IP
addresses for those validating caching name servers to folks who use
the IETF network.
The problem is that, like most plumbing, this would be entirely
transparent to the folks using that network. One of the problems with
deploying DNSSEC is that there are no standardized APIs that allow
applications to determine whether or not a name has been validated.
What's worse, with the standardized APIs, the typical indication of
validation failure to applications is essentially indistinguishable
from authoritative server misconfiguration. Also, since attacks
DNSSEC protect against are exceedingly rare, it is unlikely there
would be any actual behavior beyond normal DNS resolution for anyone
to observe.
However, with that said, I personally believe the IETF network should
turn on DNSSEC validation in their caching servers and the IETF
secretariat should sign the IETF-related zones. I can't think of any
reason why this should not occur at this point.
Regards,
-drc
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf