DNSSEC

[Barry Margolin]

In article <mailman.736.1336590990.63724.bind-users at lists.isc.org>,
 Tony Finch <dot at dotat.at> wrote:

> Gaurav Kansal <gaurav.kansal at nic.in> wrote:
> 
> > DNSSEC is done on Authoritative side.
> 
> Signing is done on authority servers. It's straightforward with
> inline-signing mode, or if you maintain your zone with dynamic updates.
> 
> > Caching DNS only check whether that particular domain is signed or not,
> > only if that caching DNS is designed to do so.
> 
> Validation is done on caches. In my experience validation is a pretty
> untroublesome feature to enable, provided you aren't completely hammering
> your name servers.

It's only untroublesome until someone screws things up on their auth 
server.  When one of your users can't access something.gov, they'll 
complain to YOU, even though it's mostly out of your hands.

This is true for other problems on auth servers as well, of course.  But 
DNSSEC is new enough that there tend to be more failures of this kind, 
even by organizations that until now have seemed to know what they're 
doing.

-- 
Barry Margolin
Arlington, MA