IETF Logo Mail Archive

Re: [DNSOP] CDS/CDNSKEY Deployment

Mark Elkins <mje@posix.co.za> Fri, 14 January 2022 07:39 UTC

Return-Path: <mje@posix.co.za>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2A0C33A1D9A; Thu, 13 Jan 2022 23:39:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.812
X-Spam-Level:
X-Spam-Status: No, score=-2.812 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.714, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=posix.co.za
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Fh5jw-kUnOxw; Thu, 13 Jan 2022 23:39:28 -0800 (PST)
Received: from relay.posix.co.za (relay.posix.co.za [192.96.24.72]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EF26C3A1DAF; Thu, 13 Jan 2022 23:39:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=posix.co.za ; s=2201; h=Content-Type:In-Reply-To:MIME-Version:Date:Message-ID:From: References:Cc:To:Subject:Sender:Reply-To:Content-Transfer-Encoding:Content-ID :Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To: Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe :List-Post:List-Owner:List-Archive; bh=JZ+QKelML+6s/mf+5ZIpNmbZ8Pru292BAHXr+7mrYRg=; b=fhS6OVXeQgFnWWJX22IR4PvrTx W2yoFcukcIEW+Y1Af7MkRxZI8utmPyeXUc4kawIFAYThzUccj+kK+S92EKi2kdpofF0xmSUYZx24m +RRfwcYrZ3jXGIBXmtzrpleT42JN1Dk00vfIqnUTKdDVRT0QarqKFJEZfUZrWeK5LmBM=;
Received: from [165.255.87.229] (port=45374 helo=[160.124.48.9]) by relay.posix.co.za with esmtpsa (TLSv1.3:TLS_AES_128_GCM_SHA256:128) (Exim 4.92.2) (envelope-from <mje@posix.co.za>) id 1n8H8q-00C2w7-W8; Fri, 14 Jan 2022 09:36:57 +0200
To: Moritz Müller <moritz.muller=40sidn.nl@dmarc.ietf.org>, Daniel Stirnimann <daniel.stirnimann@switch.ch>
Cc: Eric Rescorla <ekr@rtfm.com>, dnsop WG <dnsop@ietf.org>
References: <CABcZeBMrRDqgCbNAAL=zjRqNZ-u8orw0G_2Wk5kZjxhR8WKnxw@mail.gmail.com> <eb5b99f1-9e4b-537d-097a-635816458f1b@switch.ch> <75c4bcad-ce70-3d08-8f3a-d123a0603a31@switch.ch> <3CEC66C4-1167-44F9-835B-43C3771BC15E@sidn.nl>
From: Mark Elkins <mje@posix.co.za>
Organization: Posix Systems
Message-ID: <2a6b19c5-e295-5276-78a0-e762b9491143@posix.co.za>
Date: Fri, 14 Jan 2022 09:36:26 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.6.0
MIME-Version: 1.0
In-Reply-To: <3CEC66C4-1167-44F9-835B-43C3771BC15E@sidn.nl>
Content-Type: multipart/alternative; boundary="------------EC6021D1C2A02B9F9E4DC2C5"
Content-Language: en-GB
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/7rtZkO5XvBB2FaL5nhBNr-Iu0lo>
Subject: Re: [DNSOP] CDS/CDNSKEY Deployment
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Jan 2022 07:39:34 -0000

Hi,

I run/manage the EDU.ZA zone and am a Registrar.
Both systems poll for CDS records.... if I'm not running the DNS for the 
domain (e.g. many of the Registrar domains). I have also given 
presentations on this at the ICANN DNSSEC & Security Workshop - which I 
also assist with.

I poll once a day in the small hours of the night. The systems work 
fine. Job done?

I am though curious as to what Statistics people gather (what people 
thing would be useful). I do have log files of events - so could pick up 
various stats over time?

EDU.ZA (a "restricted" zone) CDS/DNSSEC numbers are not big but the zone 
only has about 150 delegations.
Registrar numbers are better but I also offer DNSSEC "instant 
gratification" via a web interface - which my Registrants (& resellers) 
prefer - rather than waiting a few days for the CDS polling to believe 
what it finds.

The system has been great though at picking up Domains hosted with 
Cloudflare - who offer DNSSEC Signing of a domain with a click of a 
button. Not sure if there are other companies on the scale and 
functionality of Cloudflare?


On 1/14/22 9:00 AM, Moritz Müller wrote:
> I’ve supervised an undergraduate student last year, who looked a bit into CDS Deployment [1].
> Though he mostly analysed .ch data as well.
>
> Moritz
>
> [1] http://essay.utwente.nl/86832/1/van%20Beijnum_BA_EEMCS.pdf
>
>
>
>> On 13 Jan 2022, at 14:14, Daniel Stirnimann <daniel.stirnimann@switch.ch> wrote:
>>
>> I meant to say "For 2021 we processed".
>>
>> Still need to get used to typing the new year :-)
>>
>> Daniel
>>
>> On 13.01.22 14:11, Daniel Stirnimann wrote:
>>> Hi Eric,
>>>
>>> Some statistics for .ch/.li which are some of the few TLDs supporting
>>> CDS/CDNSKEY [1].
>>>
>>> For 2020 we processed:
>>>
>>> 189'206  BOOTSTRAP
>>> 518      DELETE
>>> 44'749   ROLLOVER
>>>
>>> Slide 3 [2] contains some more historical numbers. Context about the
>>> number of signed delegations in .ch [3].
>>>
>>> Daniel
>>>
>>> [1] https://github.com/oskar456/cds-updates/
>>> [2] https://68.schedule.icann.org/meetings/EqJCzT5N6kcZhh2TT
>>> [3] https://www.nic.ch/statistics/dnssec/
>>>
>>>
>>> On 13.01.22 04:12, Eric Rescorla wrote:
>>>> Hi folks
>>>>
>>>> Does anyone have stats on the deployment of CDS and/or CDNSKEY? I see
>>>> that Chung et al. report very low deployment in 2017, but maybe things
>>>> have changed?
>>>>
>> _______________________________________________
>> DNSOP mailing list
>> DNSOP@ietf.org
>> https://www.ietf.org/mailman/listinfo/dnsop
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
-- 

Mark James ELKINS  -  Posix Systems - (South) Africa
mje@posix.co.za       Tel: +27.826010496 <tel:+27826010496>
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za 
<https://ftth.posix.co.za>

Posix SystemsVCARD for MJ Elkins

v2.23.0 | Report a Bug | By Email