= DNS/管理/ドメイン/sinatra = について、ここに記述してください。 slack.com DNSSECトラブルでの感想 DNSSEC管理の失敗というよりも、DNS (キャッシュ)の理解不足に起因している。 つまり、DNSの基礎的理解の欠如が問題だ。 https://lists.dns-oarc.net/pipermail/dns-operations/2021-October/021367.html {{{ On 9/30/21 4:30 PM, Viktor Dukhovni wrote: >> On 30 Sep 2021, at 7:14 pm, Paul Ebersman wrote: >> >> Which is actually impeding DNSSEC for domains where outages of DNS >> instantly cause revenue issues. Knowing you're off the air in a >> significant part of the world means a good deal of the alexa 1000 still >> won't sign their "money" domains. > > And yet progress is being made even among these, and many of the > arguments against are increasingly stale. Of the top 1k domains > in a recent Tranco snapshot, 88 are signed. Yeah, NTAs are sometimes > deployed, but sometimes also linger past their use-by, and should be > avoided as much as possible, and as it becomes increasingly difficult > to convince everyone to install an NTA the pressure will also be felt > at the right place. [snip] I think part of the issue in this discussion is that the Slack failure does not appear to be a failure to understand or correctly execute DNSSEC. It's a failure to understand DNS, and particularly DNS caching. DNSVIZ shows a correctly-signed and valid domain at the time that the DS+DNSKEY+RRSIG records were unceremoniously yanked. So they *were* doing DNSSEC right, but they decided to make a change, for whatever reason, and didn't understand the effects of caching in the global system. A similar shot-to-the-foot could have been accomplished by changing the NS records to point to entirely new providers/hosts and immediately shutting down the old NSes. Yes, DNSSEC really does require a good understanding of caching and TTLs, but there are other aspects of DNS that require such an understanding. And I honestly hope I am seriously wrong here, but it seems like that understanding of one of the fundamentals of DNS was lacking here. michael }}}