Educause Security Discussion mailing list archives
Re: DNSSEC Deployment
From: Michael Sinatra <michael () RANCID BERKELEY EDU>
Date: Mon, 17 May 2010 13:46:06 -0700
On 05/17/10 13:35, Joe St Sauver wrote:
John Ladwig<John.Ladwig () CSU MNSCU EDU> asked: #Not to pile on, exactly, but since the issue's on the table, can anyone #explain to me what the UI looks like on DNSSEC failures, on, say, Windows #7 and IE? For that matter, any OS. The user sees a domain name resolution failure, indistinguishable from other errors at the user level. If you suspect a DNSSEC resolution failure, dnsviz.net is a helpful site for confirming the issue. This is a known limitation of DNSSEC.
No, it's actually a known limitation of our current implementations. It's not much of a stretch to have the stub resolver do the validation (in which case the stub resolver can present the user or the application with a much more detailed error message). One implementation (for Linux) already does this. A slightly bigger stretch (in that it would require some minor standards work, unlike the stub resolver idea above) is to have the nameserver signal the stub resolver with the reason for failure. All of these seem doable within the existing DNSSEC framework. Note that Windows 7 does do some signaling to the nameserver, but it does so in such a way that the resultant validation failure will still look like an ordinary SERVFAIL. Is this the sort of thing that we would be able to understand a priori without deployment from the operations community? Possibly, but it really helps to have the deployment experience out there so we can go back to the standards community and say "here's what we need." michael michael
Current thread:
- DNSSEC Deployment Jason Frisvold (May 17)
- <Possible follow-ups>
- Re: DNSSEC Deployment Joe St Sauver (May 17)
- Re: DNSSEC Deployment Michael Sinatra (May 17)
- Re: DNSSEC Deployment John Kristoff (May 17)
- Re: DNSSEC Deployment Jason Frisvold (May 17)
- Re: DNSSEC Deployment John Ladwig (May 17)
- Re: DNSSEC Deployment Joe St Sauver (May 17)
- Re: DNSSEC Deployment Michael Sinatra (May 17)
- Re: DNSSEC Deployment Joe St Sauver (May 17)
- Re: DNSSEC Deployment Michael Sinatra (May 17)
- Re: DNSSEC Deployment John Kristoff (May 17)
- Re: DNSSEC Deployment Jason Frisvold (May 17)
- Re: DNSSEC Deployment Jason Frisvold (May 17)
- Re: DNSSEC Deployment Bruce Curtis (May 17)
- Re: DNSSEC Deployment John Kristoff (May 17)
- Re: DNSSEC Deployment Michael Sinatra (May 17)
- Re: DNSSEC Deployment John Ladwig (May 17)
- Re: DNSSEC Deployment Michael Sinatra (May 17)