On 2013-08-27, at 08:49, Antoin Verschuren <[email protected]> wrote:
> How about this solution: > > A truly DNSSEC aware authoritative server should not publish a zone, > not even the unsigned records, when validation fails for that zone. > That way, if a DNSSEC signed zone is DNSSEC broken, it's also broken > for a non-validating resolver, there is no competition issue, and the > zone publisher should fix his zone to get it working at all. > > Who will be the first DNS vendor implementing? :-) That would help avoid some problems. It wouldn't help avoid all problems, though. The event horizon for end-user problems is extended based on cached records originally served from previous internally-correct zones, and bad interactions between successive, well-signed zones can still cause problems. I seem to think actually that all the prominent public failures near the root of the namespace have not been due to zones that were signed incorrectly, but rather botched rollovers, parent DS mismatch, accidental use of an old key, etc. I've long wished for a more general facility where upon successful [AI]XFR I could shell out to an arbitrary local executable and do whatever checks I wanted before signalling with exit status that "this zone is ok to serve". With a bit of state held on disk about previous zones you could include some of those temporal checks and perhaps catch a few more problems. Joe
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
