DNSSEC mess ups are the arrangement in which you collect of us to disable DNSSEC

Technolagy DNSSEC mess ups are the arrangement in which you collect of us to disable DNSSEC

Could well 31, 2023

The facts of the time interval is that the of us responsible of the
Original Zealand nation zones (things straight under .nz) fumbled a
DNSSEC key (KSK) rollover in such a style as to ruin DNSSEC decision
for those domains (respect DNSSEC chain validation difficulty for .nz
domains,
this data article,
and extra).
The advisable decision to attain abet these domains to working DNSSEC
turned into for the entire of us operating DNSSEC validating resolvers to
flush the zone data for the whole thing under .nz. Otherwise it is doubtless you’ll perchance
stay conscious for things to day out in a day or two.

what else it is doubtless you’ll perchance comprise to your DNSSEC validating resolver
to repair this and tons of future DNSSEC ‘we shot ourselves within the foot’
moments? That’s pleasing: it is doubtless you’ll perchance disable DNSSEC validation fully.
The corollary is that every outstanding DNSSEC failure is one other
push for folks operating resolvers to renounce on the entire speak of
complexity and hassles.

Some of us are required to operating DNSSEC validating resolvers,
and others are strongly dedicated to it (and are so a long way willing to
pay the costs of doing so in staff time, of us’s complaints, and
so on). But tons of of us are no longer so dedicated and so the extra gargantuan
DNSSEC mess ups there are, the extra of them are going to solve the
difficulty as soon as and for all by falling by the wayside. After which DNSSEC turns into
that critical extra difficult to undertake broadly even while you occur to suspect or no longer it is a long way a nice advice.

(As for whether DNSSEC is a valuable conception, respect as an example this
RIPE86 spin deck by Geoff Huston,
thru,
also.)

An additional contributing ingredient to this dynamic is that attacks
which might be (or would be) stopped by DNSSEC seem reasonably distinctive
on this point in time. In follow, for nearly all of us and almost all of
the time, it appears to be that a DNSSEC validation failure occurs
because a zone operator screwed up. This provides us the security
alert difficulty, the put the humble person’s
ride is dominated by spurious positives that splendid collect in their
arrangement.

PS: At this point or no longer it is doubtlessly too unhurried to repair the core difficulty,
since DNSSEC is already designed and deployed, and my impression
is that it has low protocol agility (the flexibility to readily alternate).
Exhorting of us to no longer screw up things enjoy DNSSEC KSK rollover
clearly hasn’t labored, so the most efficient real solution would be better
strategies to routinely get better from it. Perhaps there are functional
changes to resolving DNS servers that might additionally be performed to work spherical
the problem, so as an example they’ve heuristics to speak off routinely
flushing and re-fetching zones.