Re: [dane] Meeting in Hawaii?
Jens Wagner <jwagner@hexonet.net> Sun, 05 October 2014 21:01 UTC
Return-Path: <jwagner@hexonet.net>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1FDB81A000A for <dane@ietfa.amsl.com>; Sun, 5 Oct 2014 14:01:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.8
X-Spam-Level:
X-Spam-Status: No, score=0.8 tagged_above=-999 required=5 tests=[BAYES_50=0.8] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7gJAbA52T4f5 for <dane@ietfa.amsl.com>; Sun, 5 Oct 2014 14:01:53 -0700 (PDT)
Received: from internal-mail-out1.ispapi.net (internal-mail-out1.ispapi.net [93.190.234.74]) by ietfa.amsl.com (Postfix) with ESMTP id 3CCD91A0007 for <dane@ietf.org>; Sun, 5 Oct 2014 14:01:53 -0700 (PDT)
Received: from internal-mail-relay1.sls.de.hexonet.net (mx.hexonet.net [10.190.234.71]) by internal-mail-out1.ispapi.net (Postfix) with ESMTP id BD04D10400F1 for <dane@ietf.org>; Sun, 5 Oct 2014 21:01:51 +0000 (UTC)
Envelope-to: dane@ietf.org
Received: from p5dd44a1a.dip0.t-ipconnect.de ([93.212.74.26]:53251 helo=[192.168.2.120]) by internal-mail-relay1.sls.de.hexonet.net with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <jwagner@hexonet.net>) id 1XaswB-0005rb-JK for dane@ietf.org; Sun, 05 Oct 2014 21:01:51 +0000
Message-ID: <5431B1BE.2030008@hexonet.net>
Date: Sun, 05 Oct 2014 23:01:50 +0200
From: Jens Wagner <jwagner@hexonet.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.1.2
MIME-Version: 1.0
To: dane@ietf.org
References: <CAHw9_iLV1uWX2Fg5H9dBaMr=DsrGmyB_BJteP-kBA0MnXCkJ2w@mail.gmail.com> <E36D8CE6-F5E8-4606-950D-430FEAEA3523@kirei.se> <4C36FDC5-12D2-48C1-A3D5-7AA4090E98C8@isoc.org> <20141002233017.GQ13254@mournblade.imrryr.org> <21940.1412298125@sandelman.ca> <20141003021156.GR13254@mournblade.imrryr.org>
In-Reply-To: <20141003021156.GR13254@mournblade.imrryr.org>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
X-SA-Exim-Connect-IP: 93.212.74.26
X-SA-Exim-Mail-From: jwagner@hexonet.net
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/wsVvi39Vw00AV4aKSxvPDhmF464
Subject: Re: [dane] Meeting in Hawaii?
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 05 Oct 2014 21:01:55 -0000
Hi Viktor, Hi Michael, > On Thu, Oct 02, 2014 at 09:02:05PM -0400, Michael Richardson wrote: >> Viktor Dukhovni <ietf-dane@dukhovni.org> wrote: >> > It seems that DNSSEC deployment *is* by far the main obstacle. >> > Registrars need to support DS RRs and ideally be able to host DNSSEC >> > domains. Unlike registries looking after one or a handful of >> > domains, registrars host thousands to millions of domains. One of >> > the issues raised at the DENIC meeting, is that DNSSEC-capable >> > nameserver software that scales well to very large zone counts is >> > by no means abundant. Reportedly only PowerDNS comes close, and >> > at least some registrars are reluctant to put all the eggs in one >> > basket and rely on just a single software platform. >> >> Is it a question of the signing infrastructure, or the publication >> infrastructure? > I don't understand the issues in detail. Perhaps Jens Wagner will > respond. It's a question of the publication infrastructure. Right now, PowerDNS is the only (open source) DNS server supporting both DNSSEC and large zone counts (unlike the typical registry setup, where you manage a small number of huge zonefiles). As a registrar, we allow our customers to add, remove and update DNS zones, and all those updates get pushed to our publication infrastructure immediately (~4 seconds delay). Those updates should not interfere with the resolution of other zones. Also, to prevent DNS outages caused by attacks and other reasons, we do not want to rely on a single vendor solution, so we use MyDNS and PowerDNS together (both implement database backed, cached responses). However, MyDNS never implemented DNSSEC (and is sort of abandoned), BIND10/Bundy is (was?) not production ready, and others like YADIFA and Knot are optimized for TLD operations only. So our options are: - run DNS using PowerDNS only (works perfectly, but SPOF) - implement DNSSEC into MyDNS ourselves - wait for Bundy (or another product) to become production ready Do you have any suggestions? Best regards, - jens
- [dane] Meeting in Hawaii? Warren Kumari
- Re: [dane] Meeting in Hawaii? Jakob Schlyter
- Re: [dane] Meeting in Hawaii? Peter Saint-Andre - &yet
- Re: [dane] Meeting in Hawaii? Dan York
- Re: [dane] Meeting in Hawaii? Viktor Dukhovni
- Re: [dane] Meeting in Hawaii? Warren Kumari
- Re: [dane] Meeting in Hawaii? Michael Richardson
- Re: [dane] Meeting in Hawaii? Viktor Dukhovni
- Re: [dane] Meeting in Hawaii? Jens Wagner
- Re: [dane] Meeting in Hawaii? Viktor Dukhovni
- Re: [dane] Meeting in Hawaii? Jens Wagner
- Re: [dane] Meeting in Hawaii? Viktor Dukhovni
- Re: [dane] Meeting in Hawaii? Carsten Strotmann
- Re: [dane] Meeting in Hawaii? James Cloos