lists.isc.org rDNS failed, DNSSEC?

[michoski]

On 2/23/12 8:48 PM, "Vinny_Abello at Dell.com" <Vinny_Abello at Dell.com> wrote:

> I kind of had the same thought... If ISC had a DNS outage due to expired
> signatures of a zone, what chance do I have in successfully deploying and
> maintaining DNSSEC for my zones? Sure, everyone makes mistakes, but I think it
> speaks volumes to the inherent complexity and the further need for simplifying
> the maintenance of signed zones. I know that progress is continually being
> made on this front and I think others agree... Just pointing it out again. I
> have nothing against DNSSEC, personally. I'd love to deploy it. I just don't
> have the time to maintain it or worry about maintaining it right now.

Much agreed, though I want to point out that you should only generally
deploy DNSSEC (or any new technology?) if the benefit outweighs the cost.
Adopting new technology "just because" usually leads to trouble (or
overworked admins that give up and go elsewhere).

What's the potential risk to your organization if the mythical "determined
attacker" is able to negatively or positively spoof resource records under
your control?  Maybe not much for you, maybe millions for financial orgs.

If the potential cost to the organization is high enough...  It will justify
paying a team of folks to maintain DNSSEC.  :-)

That said, I too look forward to a day when security is easier and more
automatic.  Much progress has been made, and I have high hopes and faith in
ISC and the DNS community at large.

http://www.jnd.org/books.html

-- 
Time is the coin of your life. It is the only coin you have, and only you
can determine how it will be spent. Be careful lest you let other people
spend it for you.  -- Carl Sandburg