Re: [Dnssec-deployment] Partial rollout of DNSSEC validation

[Hugo Salgado-Hernández]

Great, thanks a lot for your comments.

This ISP have one of its resolvers validating from more than a year.
And it offers it through DHCP to all its costumers, along with the
two others without validation.

Anyway, I'll be following its deployment. I agree that is a good way
of going forward, as soon as they're aware it doesn't protect their
costumers... just to test their infrastructure and accomodate
operations... in a limited timeframe! As Sebastian says, it eventually
gets debugging hard :)

Hugo


On 01:00 13/06, Robert Martin-Legene wrote:
> I am guessing they are afraid of the consequences of when DNSSEC fails.
> Is their argument that they will be studying the logs, or how do they
> plan to take advantage of this style of roll-out?
> 
> I don't think it is too crazy, and possibly a good way to get ISPs to
> embrace that crazy scary "new" thing called DNSSEC.
> 
> Maybe work with them and set a timeline.. with monthly follow-ups on a
> national NOG list - or with the NIC in private. It would be good if
> everyone can learn from the experience, even the NIC whom are usually
> far from the actual ISP environment setups.
> 
> 
> 
> -- 
> Robert ML
> 


signature.asc
Description: PGP signature

Re: [Dnssec-deployment] Partial rollout of DNSSEC validation

[Robert Martin-Legene]

I am guessing they are afraid of the consequences of when DNSSEC fails.
Is their argument that they will be studying the logs, or how do they
plan to take advantage of this style of roll-out?

I don't think it is too crazy, and possibly a good way to get ISPs to
embrace that crazy scary "new" thing called DNSSEC.

Maybe work with them and set a timeline.. with monthly follow-ups on a
national NOG list - or with the NIC in private. It would be good if
everyone can learn from the experience, even the NIC whom are usually
far from the actual ISP environment setups.



-- 
Robert ML

Re: [Dnssec-deployment] Partial rollout of DNSSEC validation

[Wessels, Duane]

Hi Hugo,

I think your point is widely taken to be true.  That is, stub resolvers won’t 
be fully protected as long as they have one non-validating recursive configured.

Of course it depends on how different stubs are implemented and I doubt anyone 
can say for sure that they know how all the different stub implementations 
would behave in such a situation.

I certainly wouldn’t fault the ISP for doing an incremental deployment (unless 
they take a really long time with it).  I assume the ISP also controls which 
recursive name servers are configured on the end user devices (e.g. via DHCP).  
They could give a subset of their subscribers only the address of the 
validating recursive and then that subset of users would be fully protected.  
As they gain confidence they could give it out to more and more subscribers 
and/or enable validation on the other servers.

DW


On 6/12/17, 2:15 PM, "Hugo Salgado-Hernández" 
 
wrote:

Dear dnssec-experts.

I recently have found a situation where an ISP is doing "incremental
rollout" of DNSSEC validation, by means of activating validation on
1 of its 3 resolvers for their customers.

Even when it could be a conservative way to help to test load and
behaviour for its resolvers, I'm in a discussion if this helps at
all at their customers. AFAIK every stub resolver in customer's appliances
would never be protected, because a stub receiving a SERVFAIL from the
validating resolver for a bogus record, would try with one of the others
two, which will deliver the "wrong" answer, cause they're not validating
at all. So, 1 of 3 is the same as none, from the customer side. The same
with 2. The only real protection will be all resolvers doing validation.

Can you confirm this? Is there any research or documentation on the
way stubs works that could clarify this issue?

Thanks and regards!

Hugo