Dave, On Nov 27, 2008, at 10:03 AM, Dave CROCKER wrote:
If I understand the thread, so far, there is a current reality that suffers from missing too many pieces of necessary DNSSec infrastructure, documentation, maybe software, and definitely training. Without all of these additional pieces, it's not reasonable to expect any sort of casual use -- even for "testing".
No. DNSSEC is in production use today in various places. It's more that no one would notice. The IETF NOC folks could trivially set up a set of DNSSEC-validating caching name servers that would validate any/ all signed zones that are covered under the existing trust anchor(s). The NOC folks could then configure DHCP/RA to hand out the IP addresses for those validating caching name servers to folks who use the IETF network.
The problem is that, like most plumbing, this would be entirely transparent to the folks using that network. One of the problems with deploying DNSSEC is that there are no standardized APIs that allow applications to determine whether or not a name has been validated. What's worse, with the standardized APIs, the typical indication of validation failure to applications is essentially indistinguishable from authoritative server misconfiguration. Also, since attacks DNSSEC protect against are exceedingly rare, it is unlikely there would be any actual behavior beyond normal DNS resolution for anyone to observe.
However, with that said, I personally believe the IETF network should turn on DNSSEC validation in their caching servers and the IETF secretariat should sign the IETF-related zones. I can't think of any reason why this should not occur at this point.
Regards, -drc _______________________________________________ Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf