On 22 Aug 2013 at 15:59, [email protected] wrote: > Running the DNS for 100+ school districts and 400,000+ devices, I really, > REALLY don't want to be the one saying "Sorry, you can't use the site > called for in your lesson plan today because they messed up the DNSSEC > records." Management's response would be "Just make it work!" > > Without a per domain NTA, the only option would be to turn off DNSSEC, > returning to square one.
I'm the engineer responsible for DNS in an organization with something on the order of a thousand sites, over 100K employees, and I'm not even going to estimate the number of devices. We've been DNSSEC validating all query responses from the Internet for two years now and we routinely tell employees that if a domain is DNSSEC signed and has messed up its zone, they won't be able to resolve it (no web access and no email to it) until the problem is fixed on the authoritative end. The only time I've sought and received emergency approval to disable DNSSEC validation was during the recent snafu Verisign made with .gov. Fortunately I saw it and was able to react before things started failing on our own network. I understand why it's necessary for early adopter ISPs. Their customers won't understand why they can't resolve something, but other ISPs can. We saw with Comcast and the nasa.gov failure a while back. Once a number of major ISPs have enabled validation, though, it should no longer be necessary. It should never be necessary for an enterprise or government network. If you've made the organizational decision to implement DNSSEC validation, then it's rightly an all or nothing approach. A validate some things and not others approach is largely useless. > Our browsers give us the option to trust invalid TLS certificates, some > even storing it indefinitely. Is an NTA much different? Yes, and we all see how well that's worked out from a security perspective... Scott _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
