Re: [dbound] draft-brotman-rdbd

Brian Dickson <> Mon, 01 April 2019 18:18 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 3542712011C for <>; Mon, 1 Apr 2019 11:18:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id CeNbrIWnmjdd for <>; Mon, 1 Apr 2019 11:18:56 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::832]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id B03BA120075 for <>; Mon, 1 Apr 2019 11:18:56 -0700 (PDT)
Received: by with SMTP id w5so11761900qtb.11 for <>; Mon, 01 Apr 2019 11:18:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=rYCqD2VO3twFVoiXNwVZ7dIpTUS1ha/3kfpQUUC7hLw=; b=tLbZnz8fKNIZbSChyw8MceFRXb9Mtw1vqHzkKFHFo62OwpLDbmbRCvyga/IJ9zCCix vUz5kmLCbkwMx8eQJ+MiF+CPZvge2aANrdiEMxe5uiMEQtyYDjjThs8UMGGQNZAZQph0 SW6aJ00lcKVWAYIuNwy/0IcrbdxFFLzGtqXRnF/48LVr6ZLIt3b4g+WFocC/XA7BzpRc /RmqbRTR4HSRBic5ashxCsKmji8fCBNDWEqEhCSrLZsPlTadidEzrNOrp44PehY/x8UR SCRWYZaZHP24kq0ZkJDeRwQfHRGjNWpSvu6OsVRCefi5fRiyQqkNQrG0vUMC2xbDf/zH DLgw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=rYCqD2VO3twFVoiXNwVZ7dIpTUS1ha/3kfpQUUC7hLw=; b=OdUnYJBRaSD+oViVovCCb4qwGZfymsHKxZNBazZCFEqqNnOC0wDnR/NDLukeezxgYc d4yxXGJ4UTX6eL1XkM4WOO5gESEms4jmYuRs+zF72i33H6vn342aVL2HNI5flw3vD2WS uNaM4BzjV2APZWKNVA31HZz+h5BJkX4EuvNxSLI8OIfzv5CgrzTb1it4bJkSiis6wTru GscqaDUb76EuaAtt0cqBR2EHZK5AwHYDzOlg1sgRT2QC5JrzTauFOmb07H0SLOae2kg7 s2JZPeoRs2/UzfPPdWE2t9BRrZBIRHgt+YkTa8VBKomUYWYcDDo8grn4QqqabEZ0HP3h YYHw==
X-Gm-Message-State: APjAAAUdr0Mp0qpvsof+CBUFwOoMW56Bh999zVCMK/HRIuLQ6JABLai9 ZoSkUKF7WoTKkO6T/o+nu/3tsF5q82hbmz0IKCOcoQ==
X-Google-Smtp-Source: APXvYqxNkbhDCN7iBhFHtVlsFfTyScYAPv6CP5oPg17+4jzhyHB3uEtDC7dGzMEu8XfCvV+e7M4Z3xe+r6Pr35G0LDY=
X-Received: by 2002:a0c:91cc:: with SMTP id r12mr53752481qvr.35.1554142735784; Mon, 01 Apr 2019 11:18:55 -0700 (PDT)
MIME-Version: 1.0
References: <> <> <> <>
In-Reply-To: <>
From: Brian Dickson <>
Date: Mon, 1 Apr 2019 11:18:43 -0700
Message-ID: <>
To: Stephen Farrell <>
Cc:, "A. Schulze" <>
Content-Type: multipart/alternative; boundary="000000000000b25fd705857c0d53"
Archived-At: <>
Subject: Re: [dbound] draft-brotman-rdbd
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS tree bounds <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 01 Apr 2019 18:18:59 -0000

On Mon, Apr 1, 2019 at 4:42 AM Stephen Farrell <>

> I would entirely agree if DNSSEC deployment were further along.
> However, that is not the case.
> As it happens, for the dozen or so small zones I manage, I have
> deployed DNSSEC and it's been pretty easy once we figured out
> how to automate re-signing and getting DS records to the parent.
> (I've yet to do CDS/CDNSKEY stuff but that should improve it
> some when the parent registry supports it.)
> But I have also spoken to quite a few people who say they cannot
> deploy DNSSEC or who think DNSSEC doesn't offer them enough to
> be worth the costs.

So, just so I understand it, you are saying the deployment of DNSSEC on the
authoritative side is the problem/issue, in terms of scale of deployment,
and in terms of costs and ease of user, reliability, etc?
Do you see other areas where DNSSEC deployment is problematic? I suspect
resolver validation needs some boosting, but IMHO, once authority use
becomes more common, that should sort itself out.

My observation is that what you are stating (about the authoritative
DNSSEC) is mostly anecdotal.
I'd prefer to be informed by statistical information, if it is available.
Or, I'd like to at least provide information (i.e. existence proofs) on
reliability, ease of use, cost, and scale, that might help make the case
that DNSSEC deployment issues are mostly about communication issues,
awareness, and motivation.

E.g. There are large-scale operators of managed DNS services who offer
DNSSEC at little or no extra cost, trivially easy use, proven reliability,
This would seem to partly contradict the deployment thing, if the only
thing they need to do is turn it on. (Estimated coverage: 60% of zones.)
There are certainly cases where DNSSEC is incompatible (at least
currently), such as CDNs, geo-ip, potential ANAME (and provider-specific
ANAME-like things currently in use).
But aside from those, the barriers to entry have been lowered considerably,
at least in the managed DNS space.