Re: [dbound] draft-brotman-rdbd

Stephen Farrell <stephen.farrell@cs.tcd.ie> Mon, 01 April 2019 21:25 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: dbound@ietfa.amsl.com
Delivered-To: dbound@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EAA14120114 for <dbound@ietfa.amsl.com>; Mon, 1 Apr 2019 14:25:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Level:
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a9m96OgIzjdG for <dbound@ietfa.amsl.com>; Mon, 1 Apr 2019 14:25:37 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 701A012000E for <dbound@ietf.org>; Mon, 1 Apr 2019 14:25:37 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 6BD56BE24; Mon, 1 Apr 2019 22:25:35 +0100 (IST)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s_XVUEULceip; Mon, 1 Apr 2019 22:25:33 +0100 (IST)
Received: from [10.244.2.138] (95-45-153-252-dynamic.agg2.phb.bdt-fng.eircom.net [95.45.153.252]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 2CA6BBE20; Mon, 1 Apr 2019 22:25:33 +0100 (IST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1554153933; bh=UWdwq/kJ1M16LGVsTMS7EPNjacLsbmrbxOZssunoAe4=; h=To:Cc:References:From:Subject:Date:In-Reply-To:From; b=3Uiq7PBn8IYM+7yLayBZY5rDIdgGO21cHhi1B3/wKOYlD+KBCbf+l0lz1Js8KoYf9 9iJ0KuP+LlrNZC9UtLn8XrrTyX9i47AGqv2Jj2q4NhgcTAF1uheMlpMJMqwa175d76 cJsGFsoEqZmQQNbHPx7Hpz/3V0QI5AUYqxSV5PJw=
To: Brian Dickson <brian.peter.dickson@gmail.com>
Cc: dbound@ietf.org, "A. Schulze" <sca@andreasschulze.de>
References: <f6862326-40e1-d804-cefe-e63c79a0534d@andreasschulze.de> <7d34857c-a99b-389a-90e5-2e4fe6f4e736@cs.tcd.ie> <CAH1iCipco+0Wvb1kpZ-S3EQYdsYywZzQo+sEeLikNZjMwMYMgg@mail.gmail.com> <cb41ecd0-c48d-b204-7ab1-f59ff330bda3@cs.tcd.ie> <CAH1iCipAKjioXGtvLe2==drXZpBp3LpDzQYNJPKGbGSo_5N2VA@mail.gmail.com>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Openpgp: id=5BB5A6EA5765D2C5863CAE275AB2FAF17B172BEA; url=
Autocrypt: addr=stephen.farrell@cs.tcd.ie; prefer-encrypt=mutual; keydata= mQINBFo9UDIBEADUH4ZPcUnX5WWRWO4kEkHea5Y5eEvZjSwe/YA+G0nrTuOU9nemCP5PMvmh 5Cg8gBTyWyN4Z2+O25p9Tja5zUb+vPMWYvOtokRrp46yhFZOmiS5b6kTq0IqYzsEv5HI58S+ QtaFq978CRa4xH9Gi9u4yzUmT03QNIGDXE37honcAM4MOEtEgvw4fVhVWJuyy3w//0F2tzKr EMjmL5VGuD/Q9+G/7abuXiYNNd9ZFjv4625AUWwy+pAh4EKzS1FE7BOZp9daMu9MUQmDqtZU bUv0Q+DnQAB/4tNncejJPz0p2z3MWCp5iSwHiQvytYgatMp34a50l6CWqa13n6vY8VcPlIqO Vz+7L+WiVfxLbeVqBwV+4uL9to9zLF9IyUvl94lCxpscR2kgRgpM6A5LylRDkR6E0oudFnJg b097ZaNyuY1ETghVB5Uir1GCYChs8NUNumTHXiOkuzk+Gs4DAHx/a78YxBolKHi+esLH8r2k 4LyM2lp5FmBKjG7cGcpBGmWavACYEa7rwAadg4uBx9SHMV5i33vDXQUZcmW0vslQ2Is02NMK 7uB7E7HlVE1IM1zNkVTYYGkKreU8DVQu8qNOtPVE/CdaCJ/pbXoYeHz2B1Nvbl9tlyWxn5Xi HzFPJleXc0ksb9SkJokAfwTSZzTxeQPER8la5lsEEPbU/cDTcwARAQABtDJTdGVwaGVuIEZh cnJlbGwgKDIwMTcpIDxzdGVwaGVuLmZhcnJlbGxAY3MudGNkLmllPokCQAQTAQgAKgIbAwUJ CZQmAAULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAUCWj6jdwIZAQAKCRBasvrxexcr6o7QD/9m x9DPJetmW794RXmNTrbTJ44zc/tJbcLdRBh0KBn9OW/EaAqjDmgNJeCMyJTKr1ywaps8HGUN hLEVkc14NUpgi4/Zkrbi3DmTp25OHj6wXBS5qVMyVynTMEIjOfeFFyxG+48od+Xn7qg6LT7G rHeNf+z/r0v9+8eZ1Ip63kshQDGhhpmRMKu4Ws9ZvTW2ACXkkTFaSGYJj3yIP4R6IgwBYGMz DXFX6nS4LA1s3pcPNxOgrvCyb60AiJZTLcOk/rRrpZtXB1XQc23ZZmrlTkl2HaThL6w3YKdi Ti1NbuMeOxZqtXcUshII45sANm4HuWNTiRh93Bn5bN6ddjgsaXEZBKUBuUaPBl7gQiQJcAlS 3MmGgVS4ZoX8+VaPGpXdQVFyBMRFlOKOC5XJESt7wY0RE2C8PFm+5eywSO/P1fkl9whkMgml 3OEuIQiP2ehRt/HVLMHkoM9CPQ7t6UwdrXrvX+vBZykav8x9U9M6KTgfsXytxUl6Vx5lPMLi 2/Jrsz6Mzh/IVZa3xjhq1OLFSI/tT2ji4FkJDQbO+yYUDhcuqfakDmtWLMxecZsY6O58A/95 8Qni6Xeq+Nh7zJ7wNcQOMoDGj+24di2TX1cKLzdDMWFaWzlNP5dB5VMwS9Wqj1Z6TzKjGjru q8soqohwb2CK9B3wzFg0Bs1iBI+2RuFnxLkCDQRaPVAyARAA+g3R0HzGr/Dl34Y07XqGqzq5 SU0nXIu9u8Ynsxj7gR5qb3HgUWYEWrHW2jHOByXnvkffucf5yzwrsvw8Q8iI8CFHiTYHPpey 4yPVn6R0w/FOMcY70eTIu/k6EEFDlDbs09DtKcrsT9bmN0XoRxITlXwWTufYqUnmS+YkAuk+ TLCtUin7OdaS2uU6Ata3PLQSeM2ZsUQMmYmHPwB9rmf+q2I005AJ9Q1SPQ2KNg/8xOGxo13S VuaSqYRQdpV93RuCOzg4vuXtR+gP0KQrus/P2ZCEPvU9cXF/2MIhXgOz207lv3iE2zGyNXld /n8spvWk+0bH5Zqd9Wcba/rGcBhmX9NKKDARZqjkv/zVEP1X97w1HsNYeUFNcg2lk9zQKb4v l1jx/Uz8ukzH2QNhU4R39dbF/4AwWuSVkGW6bTxHJqGs6YimbfdQqxTzmqFwz3JP0OtXX5q/ 6D4pHwcmJwEiDNzsBLl6skPSQ0Xyq3pua/qAP8MVm+YxCxJQITqZ8qjDLzoe7s9X6FLLC/DA L9kxl5saVSfDbuI3usH/emdtn0NA9/M7nfgih92zD92sl1yQXHT6BDa8xW1j+RU4P+E0wyd7 zgB2UeYgrp2IIcfG+xX2uFG5MJQ/nYfBoiALb0+dQHNHDtFnNGY3Oe8z1M9c5aDG3/s29QbJ +w7hEKKo9YMAEQEAAYkCJQQYAQgADwUCWj1QMgIbDAUJCZQmAAAKCRBasvrxexcr6qwvD/9b Rek3kfN8Q+jGrKl8qwY8HC5s4mhdDJZI/JP2FImf5J2+d5/e8UJ4fcsT79E0/FqX3Z9wZr6h sofPqLh1/YzDsYkZDHTYSGrlWGP/I5kXwUmFnBZHzM3WGrL3S7ZmCYMdudhykxXXjq7M6Do1 oxM8JofrXGtwBTLv5wfvvygJouVCVe87Ge7mCeY5vey1eUi4zSSF1zPpR6gg64w2g4TXM5qt SwkZVOv1g475LsGlYWRuJV8TA67yp1zJI7HkNqCo8KyHX0DPOh9c+Sd9ZX4aqKfqH9HIpnCL AYEgj7vofeix7gM3kQQmwynqq32bQGQBrKJEYp2vfeO30VsVx4dzuuiC5lyjUccVmw5D72J0 FlGrfEm0kw6D1qwyBg0SAMqamKN6XDdjhNAtXIaoA2UMZK/vZGGUKbqTgDdk0fnzOyb2zvXK CiPFKqIPAqKaDHg0JHdGI3KpQdRNLLzgx083EqEc6IAwWA6jSz+6lZDV6XDgF0lYqAYIkg3+ 6OUXUv6plMlwSHquiOc/MQXHfgUP5//Ra5JuiuyCj954FD+MBKIj8eWROfnzyEnBplVHGSDI ZLzL3pvV14dcsoajdeIH45i8DxnVm64BvEFHtLNlnliMrLOrk4shfmWyUqNlzilXN2BTFVFH 4MrnagFdcFnWYp1JPh96ZKjiqBwMv/H0kw==
Message-ID: <4561e898-4446-c4bd-75d8-1c49a75184ad@cs.tcd.ie>
Date: Mon, 1 Apr 2019 22:25:32 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1
MIME-Version: 1.0
In-Reply-To: <CAH1iCipAKjioXGtvLe2==drXZpBp3LpDzQYNJPKGbGSo_5N2VA@mail.gmail.com>
Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="Iv9auoZex6k7MBl2849KNRxIdLNxFEyc7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dbound/lOKljUvvCRhOwFRbUVSUp3-YFIk>
Subject: Re: [dbound] draft-brotman-rdbd
X-BeenThere: dbound@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS tree bounds <dbound.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dbound>, <mailto:dbound-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dbound/>
List-Post: <mailto:dbound@ietf.org>
List-Help: <mailto:dbound-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dbound>, <mailto:dbound-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Apr 2019 21:25:41 -0000

Hiya,

On 01/04/2019 19:18, Brian Dickson wrote:
> On Mon, Apr 1, 2019 at 4:42 AM Stephen Farrell <stephen.farrell@cs.tcd.ie>;
> wrote:
> 
>>
>>
>> I would entirely agree if DNSSEC deployment were further along.
>> However, that is not the case.
>>
>> As it happens, for the dozen or so small zones I manage, I have
>> deployed DNSSEC and it's been pretty easy once we figured out
>> how to automate re-signing and getting DS records to the parent.
>> (I've yet to do CDS/CDNSKEY stuff but that should improve it
>> some when the parent registry supports it.)
>>
>> But I have also spoken to quite a few people who say they cannot
>> deploy DNSSEC or who think DNSSEC doesn't offer them enough to
>> be worth the costs.
>>
> 
> So, just so I understand it, you are saying the deployment of DNSSEC on the
> authoritative side is the problem/issue, in terms of scale of deployment,
> and in terms of costs and ease of user, reliability, etc?
> Do you see other areas where DNSSEC deployment is problematic? I suspect
> resolver validation needs some boosting, but IMHO, once authority use
> becomes more common, that should sort itself out.

Seems a bit of a side-issue for this discussion but happy to
discuss off-list. (I do think launching into each of our ideas
as to what's good or bad about DNSSEC would be distracting
here and more on-topic e.g. for dnsop and not this list.)

> 
> My observation is that what you are stating (about the authoritative
> DNSSEC) is mostly anecdotal.

Sadly not.

[1] seems to show that <1% of .com 2lds are signed and barely
more than 1% of .net 2lds.

[2] provides a bit of a basis for limited optimism but still
shows around about 1 million signed 2lds despite some ccTLDs
offering small financial incentives to those who sign.

A 2018 peer-reviewed paper [3] ([4] for non-paywall) including
Roland Van Rijswijk-Deij as an author (whom I at least would
trust on this) says that "The security extensions to the DNS
(DNSSEC) currently cover approximately 3% of all domains
worldwide." (Which I guess can be consistent with the above
given depth inside signed zones.)

FWIW my general position is that we ought be making DNSSEC
easier to use where we can, and we should encourage deployment
but we cannot really make it a dependency for pretty much any
new protocol, or that new protocol will be extremely constrained
in where it can be deployed. (The optional RDBD signature
mechanism is consistent with that, in that it kinda tries to
spread the benefits of DNSSEC to an RR from the related domain,
if the relating domain is DNSSEC signed but the related domain
is not.)

Cheers,
S.

[1] https://www.statdns.com/
[2] https://stats.dnssec-tools.org/
[3] https://ieeexplore.ieee.org/abstract/document/8406223/
[4]
https://research.tue.nl/en/publications/economic-incentives-on-dnssec-deployment-time-to-move-from-quanti

> I'd prefer to be informed by statistical information, if it is available.
> Or, I'd like to at least provide information (i.e. existence proofs) on
> reliability, ease of use, cost, and scale, that might help make the case
> that DNSSEC deployment issues are mostly about communication issues,
> awareness, and motivation.
> 
> E.g. There are large-scale operators of managed DNS services who offer
> DNSSEC at little or no extra cost, trivially easy use, proven reliability,
> etc.
> This would seem to partly contradict the deployment thing, if the only
> thing they need to do is turn it on. (Estimated coverage: 60% of zones.)
> There are certainly cases where DNSSEC is incompatible (at least
> currently), such as CDNs, geo-ip, potential ANAME (and provider-specific
> ANAME-like things currently in use).
> But aside from those, the barriers to entry have been lowered considerably,
> at least in the managed DNS space.
> 
> Brian
>