User: Password:
|
|
Subscribe / Log in / New account

Roll Over And Die (ROAD)

Roll Over And Die (ROAD)

Posted Jul 16, 2010 11:42 UTC (Fri) by shane (subscriber, #3335)
Parent article: An interesting DNSSEC amplification

Full disclosure: I work for ISC (the company that makes BIND).

This article is from the March 2010 issue of the IPJ. The specific problems were fixed in February or March 2010, in the software that supports DNSSEC and exhibits this behavior.

You can see the ISC official comment:

http://www.isc.org/announcement/iscs-response-concerns-ex...

You can see a message from the director of NLnetLabs (NLnetLabs makes Unbound):

http://unbound.net/pipermail/unbound-users/2010-February/...

As the article mentions, RFC 5011 describes a technology designed specifically to address key rollover. This is indeed designed to automate administration of DNSSEC-aware resolvers. Implementations are done, and I expect widespread adoption over the next few years.

Beyond that, keep in mind that any security feature by necessity increases the fragility and decreases the usability of the system. This is something to be aware of, but not something to be afraid of. This LWN summary comes very close to spreading FUD about DNSSEC. This is a pity, because DNS has long been an insecure link in the Internet, and DNSSEC not only allows that weakness to be resolved, but also enables new functionality built on a more secure DNS foundation.


(Log in to post comments)


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds