Maintained by: NLnet Labs

[Unbound-users] problems resolving some sites

Kevin Chadwick
Fri Nov 26 21:05:30 CET 2010

On Fri, 26 Nov 2010 18:49:20 +0100
lst_hoe02 at wrote:

> Fact is if it resolv with +cdflag (checking disable) there is  
> something wrong with DNSSEC or someone is screwing the result records.

DNSSEC does open you up to far easier DOS attacks (I'm not saying,
this case was intentional), Eliptic Curve Crypto may reduce that
potential as originally proposed by DNSCURVE, but dnssec does make it
very unlikely that your given bogus dns data.

With SSHs recent adoption of ECC keys, maybe reducing the scope of
this trade-off will happen sooner than I was expecting. Then again the
ssh community is far more adaptable/pro-active than the DNSSEC people,
even with all that money, or maybe that's part of the problem.

I am not happy but I'm still intending to turn on DNSSEC, but it does
require monitoring.

Here's a quote from one of the original OpenSSH authors that was put on
the OpenBSD list about ipv6 (not dnssec but I think it probably
applys), which I notice FRLinux should recall.

"shit which comes out of research organizations all tends to suck these
days, doesn't it.  or perhaps it always did (OSI networking, ipv6,
same same).

i have theorized in the past that the problem we face is
that an insufficient number of axe murderers are attending those kinds
of research meetings."