Date: Sat, 14 Feb 2009 02:05:36 +0300 From: Solar Designer <solar@...nwall.com> To: owl-users@...ts.openwall.com Subject: Re: DNSSEC support Hi Radek, Thank you for bringing this topic up on the list. Perhaps we should have brought it up prior to making the change. On Fri, Feb 13, 2009 at 02:02:47PM +0100, Radek Michalski wrote: > I have a question about your last note on Owl-current changes. You wrote > that you dropped DNSSEC support in bind "which is not useful on the Internet > at large yet". Radek is referring to this entry in CHANGES-current: 2009/02/06 Package: bind Dropped DNSSEC support, which is not useful on the Internet at large yet. Those who wish to experiment with DNSSEC at their own risk may set BUILD_OPENSSL to 1 and rebuild the package. > I know that I can enable it if I want, but I'd like to ask > you about fundamental reasons. Why you find it not useful? I don't want to > start any polemic, but I'd like to know your opinion only. I wouldn't say I find DNSSEC "not useful", but the current state of things is that it is "not useful on the Internet at large yet". When discussing this on our internal development list, the following surveys on DNSSEC being (not) ready for use were mentioned: http://epic.org/privacy/dnssec/ http://ccnso.icann.org/surveys/dnssec-survey-report-2007.pdf Basically, DNSSEC is not yet supported on the root nameservers and on major TLDs (there are very few exceptions). When working on Owl, we'd like to focus on code that people actually use. We'd like to be providing timely security updates for security issues that actually matter. By supporting DNSSEC officially, we had to provide timely security updates for any DNSSEC-related issues in BIND as well, even though this hardly mattered to anybody. In fact, this is still the case for Owl 2.0-stable, as we did not drop the feature from the 2.0-stable branch. So the change in Owl-current will sort-of come into effect, potentially saving us time, starting with the next release of Owl. Besides, we have no definitive answer on whether merely including DNSSEC support into BIND at compile time, even if such support is not being made use of by the system's administrator, exposes additional code within BIND (and maybe OpenSSL) to potential attacks or not. Spending our time on auditing (and, if necessary, hardening) BIND's code for that did not appear to be worthwhile, given that DNSSEC might remain sort-of experimental for some years to come. Thus, dropping support of DNSSEC for the lifecycle of the next release of Owl seemed like the right thing to do - and that's what we did. Now, I am curious - does anyone in here actually use DNSSEC? On Owl? Using our pre-built BIND? Thanks again, Alexander Peslyak <solar at openwall.com> GPG key ID: 5B341F15 fp: B3FB 63F4 D7A3 BCCC 6F6E FC55 A2FC 027C 5B34 1F15 http://www.openwall.com - bringing security into open computing environments -- To unsubscribe, e-mail owl-users-unsubscribe@...ts.openwall.com and reply to the automated confirmation request that will be sent to you.
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.