To:
dnsop@cafax.se
From:
bert hubert <ahu@ds9a.nl>
Date:
Thu, 20 Mar 2003 13:54:58 +0100
Content-Disposition:
inline
In-Reply-To:
<20030320094846.GG29031@atoom.net>
Mail-Followup-To:
bert hubert <ahu@ds9a.nl>, dnsop@cafax.se
Sender:
owner-dnsop@cafax.se
User-Agent:
Mutt/1.3.28i
Subject:
Re: secondary behavior with DNSSEC
On Thu, Mar 20, 2003 at 10:48:46AM +0100, Miek Gieben wrote: > This difference with DNS is obvious, with DNS a secondary that was not up to > date was bad, but it was still sort of usable. With DNSSEC a secondary that is > longer out of date than the signature lifetime is disastrous - it causes the > local removal of a TLD (in this case). I also see interesting DoS possibilities here - DNSSEC does not offer any additional protection against spoofing, except that cached answers will be recognized as being spoofed, but only by DNSSEC aware clients and not by generic recursors. So by spoofing in a badly signed NL NS record, the TLD vanishes for all secure clients of that poisoned recursor. Which underlines one of my remaining problems with DNSSEC, even though it now appears that great progress is being made towards usability. I wonder how many operators will continue to use DNSSEC after the first time they notice that it hampers the uptime of their services because of problems like the above. Regards, bert -- http://www.PowerDNS.com Open source, database driven DNS Software http://lartc.org Linux Advanced Routing & Traffic Control HOWTO http://netherlabs.nl Consulting #---------------------------------------------------------------------- # To unsubscribe, send a message to <dnsop-request@cafax.se>.