Re: DNSSEC Deployment

[Michael Sinatra <michael () RANCID BERKELEY EDU>]

On 05/17/10 13:35, Joe St Sauver wrote:
> John Ladwig<John.Ladwig () CSU MNSCU EDU>  asked:
>
> #Not to pile on, exactly, but since the issue's on the table, can anyone
> #explain to me what the UI looks like on DNSSEC failures, on, say, Windows
> #7 and IE?  For that matter, any OS.
>
> The user sees a domain name resolution failure, indistinguishable from other
> errors at the user level.
>
> If you suspect a DNSSEC resolution failure, dnsviz.net is a helpful site
> for confirming the issue.
>
> This is a known limitation of DNSSEC.

No, it's actually a known limitation of our current implementations.
It's not much of a stretch to have the stub resolver do the validation
(in which case the stub resolver can present the user or the application
with a much more detailed error message).  One implementation (for
Linux) already does this.  A slightly bigger stretch (in that it would
require some minor standards work, unlike the stub resolver idea above)
is to have the nameserver signal the stub resolver with the reason for
failure.  All of these seem doable within the existing DNSSEC framework.

Note that Windows 7 does do some signaling to the nameserver, but it
does so in such a way that the resultant validation failure will still
look like an ordinary SERVFAIL.

Is this the sort of thing that we would be able to understand a priori
without deployment from the operations community?  Possibly, but it
really helps to have the deployment experience out there so we can go
back to the standards community and say "here's what we need."

michael


michael