[unisog] Query on CERT VU#800113
rackow at mcs.anl.gov
rackow at mcs.anl.gov
Mon Jul 21 20:45:46 GMT 2008
I'd really like to know how much of the name space is actually using DNSSEC.
By that I mean the signed info, not the other really good info on
dns server configuration.
I started poking at some names and using drill to see what the responses
were going to be. The only things I found that were really using DNSSEC
and could be verified were in .se, .ru, and a few .org sites. None of
the places I normally interact with are running it. The last stat I
found on the net was from 2006, and it indicated 0.00005% of the net
was using DNSSEC. It would take many orders of magnitude growth
for it to be taken seriously by anyone.
Seriously, if someone has updated stats on who/how much it's being
used, let me know. I've done some testbed stuff on it, but not much
This is my personal opinion, and not that of those that write
To me, it seems that deploying DNSSEC at the desktop levels is only going
to confuse things. As a user, IF I could configure things to give
me various warnings on non-verification, I'd just immunize myself
to the fact that everything is in warning state. Nothing is real.
Next, IF I set my machine up that way, and somehow got hit with one
of these bogus /etc/resolv.conf entries, it wouldnt' really help me
anyway. Since my machine needs to be set to allow non-verifable so
I can get to google, ebay, my-big-bank, DOE, almost*.edu, IF my machine
asks a bogus name server about a site that IS signed, I'm going to
get back from the hacked site that no signature exists, just like
that for google, etc. Since that's the norm, would I detect that
it got this info from a bogus server? Would I notice the change?
I think that pushing to get DNSSEC to be something available everywhere
is a nobel cause. I don't see it happening very fast. Most of the
TLD and root servers are not looking to go that route for several
years, at least from the info that I've found on the net.
Yes, it's important to get your servers updated to the latest levels.
It's important to start planning and/or maybe finding a way to
deploy DNSSEC data for your domain. Thinking that deployment of
DNSSEC is going to solve anything at the moment is a pipedream.
There isn't enough install base to start building on.
Note that deploying DNSSEC for your domain isn't really going to
do anything for you now, but at some point it may become the
useful standard people want it to be today. It's going to take
time to build that base and get support. IF places like google,
ebay, paypal, banks, credit-unions would get behind it enough
to sign their data, it may make it easier for the rest of
the net to be able to justify it too. Since the places that I
deal with on the net that deal with $$ and/or personal info have
not deemed this worthwhile, why should I?
More information about the unisog