Re: [Dnssec-deployment] Partial rollout of DNSSEC validation
Great, thanks a lot for your comments. This ISP have one of its resolvers validating from more than a year. And it offers it through DHCP to all its costumers, along with the two others without validation. Anyway, I'll be following its deployment. I agree that is a good way of going forward, as soon as they're aware it doesn't protect their costumers... just to test their infrastructure and accomodate operations... in a limited timeframe! As Sebastian says, it eventually gets debugging hard :) Hugo On 01:00 13/06, Robert Martin-Legene wrote: > I am guessing they are afraid of the consequences of when DNSSEC fails. > Is their argument that they will be studying the logs, or how do they > plan to take advantage of this style of roll-out? > > I don't think it is too crazy, and possibly a good way to get ISPs to > embrace that crazy scary "new" thing called DNSSEC. > > Maybe work with them and set a timeline.. with monthly follow-ups on a > national NOG list - or with the NIC in private. It would be good if > everyone can learn from the experience, even the NIC whom are usually > far from the actual ISP environment setups. > > > > -- > Robert ML > signature.asc Description: PGP signature
Re: [Dnssec-deployment] Partial rollout of DNSSEC validation
I am guessing they are afraid of the consequences of when DNSSEC fails. Is their argument that they will be studying the logs, or how do they plan to take advantage of this style of roll-out? I don't think it is too crazy, and possibly a good way to get ISPs to embrace that crazy scary "new" thing called DNSSEC. Maybe work with them and set a timeline.. with monthly follow-ups on a national NOG list - or with the NIC in private. It would be good if everyone can learn from the experience, even the NIC whom are usually far from the actual ISP environment setups. -- Robert ML
Re: [Dnssec-deployment] Partial rollout of DNSSEC validation
Hi Hugo, I think your point is widely taken to be true. That is, stub resolvers won’t be fully protected as long as they have one non-validating recursive configured. Of course it depends on how different stubs are implemented and I doubt anyone can say for sure that they know how all the different stub implementations would behave in such a situation. I certainly wouldn’t fault the ISP for doing an incremental deployment (unless they take a really long time with it). I assume the ISP also controls which recursive name servers are configured on the end user devices (e.g. via DHCP). They could give a subset of their subscribers only the address of the validating recursive and then that subset of users would be fully protected. As they gain confidence they could give it out to more and more subscribers and/or enable validation on the other servers. DW On 6/12/17, 2:15 PM, "Hugo Salgado-Hernández"wrote: Dear dnssec-experts. I recently have found a situation where an ISP is doing "incremental rollout" of DNSSEC validation, by means of activating validation on 1 of its 3 resolvers for their customers. Even when it could be a conservative way to help to test load and behaviour for its resolvers, I'm in a discussion if this helps at all at their customers. AFAIK every stub resolver in customer's appliances would never be protected, because a stub receiving a SERVFAIL from the validating resolver for a bogus record, would try with one of the others two, which will deliver the "wrong" answer, cause they're not validating at all. So, 1 of 3 is the same as none, from the customer side. The same with 2. The only real protection will be all resolvers doing validation. Can you confirm this? Is there any research or documentation on the way stubs works that could clarify this issue? Thanks and regards! Hugo