Hey Paul, Have been away from the desk for motorcycle and helicopter reasons...
On 16 Oct 2024, at 1:50 AM, Paul Ebersman <list-rssac@dragon.net> wrote:
terry> I'll take that as a question to investigate..
Seeing if resolver operators are finally past the FUD would be interesting. My guess is that the trailing edge are enterprises/orgs (along with USG/DOD), rather than the large recursive farms or ISPs. The latter mostly have bought into validation.
Another interesting question to me is if the growth of mobile devices has made any change in what mobile providers are doing in terms of DNSSEC validation.
Agreed on both of the above... all of that speaks, "in my opinion" to the "why" of why we are now "still" discussing effects of ossification.
As for old software, based on my time doing tech support for BIND (when BIND8 was already deprecated but BIND4 was not uncommon enough) and at a large ISP, where the number of 10+ year old versions of DNSMASQ on routers was way too high, I think we all know how long old cruft still sticks around. We're still seeing A6 queries at the root, aren't we? :)
So that is, IMO, that we as an industry never versioned DNS (as a protocol set .... - yep, I have a part of the blame from being on the IESG) that allowed the industry to specify a version of "specification". Personally Postel's mantra of "“e conservative in what you do, be liberal in what you accept from others” has in part created this problem, we never actually do that with the Infosec term of "CIA" (not the USA's intel org) .. But that's a beer discussion. T.