Free secondary servers supporting DNSSEC?
Vernon Schryver
vjs at rhyolite.com
Sun Feb 17 16:48:17 UTC 2013
> From: David Forrest <drf at maplepark.com>
> > In any case, some naming and shaming seems appropriate. Basic
>
> Naming and shaming seems excessive for a "free" service.
Services that do not charge users money are often not really free.
That this case might cost security instead of eyeballs should not
exempt it from scrutiny or criticism.
If today were 2003, if the lack of support were for the DANE types,
or if primary DNSSEC service with auto-signing was supported, then
maybe it would be ok.
For a reductio ad absurdum example, what would you say about a free
DNS secondary service that replaces your A records with others with
IP addresses of an advertiser (and tiny TTLs) for 10% of requests?
Done carefully, including not messing with MX and some other types,
it wouldn't completely wreck a small web site.
https://www.google.com/search?q=dns+hijack
The important and undeniable scandal is the lack of support from
registrars for DS RRs.
Speaking of DNSSEC, I've been watching the graphs on
http://scoreboard.verisignlabs.com/ for months with growing incredulity.
How can the counts or percentages for .com and .net be growing so
amazingly consistently? Where are the dips and bumps you'd expect
for holidays? Why isn't there far more noise in the graphs?
Vernon Schryver vjs at rhyolite.com
More information about the bind-users
mailing list