Deutsch | English
Dieser Blog enthält keine offiziellen Aussagen von, sondern persönliche Meinungen einzelner Mitarbeiter.

Enabling DNSSEC Validation

19. Oktober 2010

This week, Comcast announced that they will enable DNSSEC validation on their production resolvers. One thing one might want to keep in mind if you do that:

People make mistakes. Some domain owners will break their DNSSEC signatures. We've seen a good number of these in 1010, including TLDs like .arpa, .be, and .uk. I asked Comcast if they have a policy on how to deal with such events. According to Jason Livingood, Comcast will inform their users, and notifiy the owners of the broken domain. I aswered:

From a technology PoV that's certainly a valid policy.

There are two issues you might think through before you run into them in real life:

When people break their "normal" DNS, all ISPs are affected more or less equally (disregarding caching-effects for now). But as long as Verizon, AT&T and others don't validate as well, your customer will notice that he can't do online-banking while his neighbor on DSL can. This will be discussed on social media platforms and people will compare which access ISPs "work" and which don't. The fact that the problem is on the other end is kind of hard to explain and will be lost in the outrage.

There will be customers which will need immediate access to the blacked-out domain NOW or they will suffer financial damage, couldn't book their golfing tour, or whatever else will bring them to threaten you with legal action. From their PoV, Comcast is suppressing their communication and hotheads will sue. After all, if you already know that DNSSEC is blocking their IMPORTANT business, why don't you just disable it? Depending on what kinds of domains are affected, this might escalate to the very top faster that you might anticipate.

Be prepared.

Autor: Otmar Lendl

Tel.: +43 1 5056416 78
mehr ...
Kritische Schwachstelle in bzip2 - je nach Setup für RCE ausnutzbar
24. Juni 2019 | Beschreibung In ...
Kritische RCE Schwachstelle in Oracle WebLogic Server
19. Juni 2019 | Beschreibung | Mehrere ...
mehr ...
Remote Desktop Services. Mal wieder.
14. August 2019 | Ich ...
BlueKeep, mal wieder
25. Juli 2019 | Das "Schöne" ...
mehr ...
Jahresbericht 2017
Ein Resumee zur digitalen Sicherheitslage in Österreich

Letzte Änderung: 2010/11/4 - 11:39:09
Haftungsausschluss / Datenschutzerklärung