[DNSOP] Fwd: [Ext] DNSSEC Strict Mode

Ulrich Wisser <ulrich@wisser.se> Mon, 01 March 2021 13:30 UTC

Return-Path: <ulrich@wisser.se>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id D0C513A1C1F for <dnsop@ietfa.amsl.com>; Mon, 1 Mar 2021 05:30:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=wisser.se
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id tqavNH7Air4t for <dnsop@ietfa.amsl.com>; Mon, 1 Mar 2021 05:30:07 -0800 (PST)
Received: from mout-p-102.mailbox.org (mout-p-102.mailbox.org [IPv6:2001:67c:2050::465:102]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E4F073A1C1D for <DNSOP@ietf.org>; Mon, 1 Mar 2021 05:30:06 -0800 (PST)
Received: from smtp2.mailbox.org (smtp2.mailbox.org [IPv6:2001:67c:2050:105:465:1:2:0]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-102.mailbox.org (Postfix) with ESMTPS id 4Dq1Mv00fnzQlZc for <DNSOP@ietf.org>; Mon, 1 Mar 2021 14:30:03 +0100 (CET)
X-Virus-Scanned: amavisd-new at heinlein-support.de
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wisser.se; s=MBO0001; t=1614605400; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: references:references; bh=ow9tPyCVld6WYDWEaXfp/dZYACBRdxNc0YUnNAqjuXE=; b=v7Ns+M/K6c3M2uvIYLESVNKT688P1OoH8hl776o+CZZVwyZcD/PD4lbTSJYMHwVw0z+2oa CORrPE0k5pi39Hp79zxYFAh27iFV4Cc2BT1ZTGy0NjD0MZkHjVmEn0+O2IYhaOMyB77vm4 v4DfdItI2RBXkxWCpU1cRDgnFIdI+BCQbe4ilqNQJiYvYjmBDrd2daZ9ACHKiE7Dnw0K+5 0Zm95kZzvQ30GKkOYgAC9aA8+5YJM2Yj3iG4tsPx5VJCPYgR3fsoR6qvr74yPqWOmxlylK 4bUkuBIYFxgEQuG0Qka4c7XcHncMpbYHjU0E0pQuLyLriE0pydSR9oR1qfq2Xg==
Received: from smtp2.mailbox.org ([]) by hefe.heinlein-support.de (hefe.heinlein-support.de []) (amavisd-new, port 10030) with ESMTP id Py-kaM3Dfm1Q for <DNSOP@ietf.org>; Mon, 1 Mar 2021 14:29:58 +0100 (CET)
From: Ulrich Wisser <ulrich@wisser.se>
Content-Type: multipart/alternative; boundary="Apple-Mail=_FCC41723-F066-4D86-A5FC-C0D4AB8CC4E5"
Mime-Version: 1.0
Message-Id: <789EBF89-24CC-452A-A1D0-AE5583D6A476@wisser.se>
References: <4C3B1EF7-D37F-40D4-9C39-70FADF2B71CC@wisser.se>
To: dnsop <DNSOP@ietf.org>
Date: Mon, 1 Mar 2021 14:29:55 +0100
X-MBO-SPAM-Probability: *
X-Rspamd-Score: 1.05 / 15.00 / 15.00
X-Rspamd-Queue-Id: D9A7017BD
X-Rspamd-UID: 439e42
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/RO-DtY-ofT3A7S7Bd2Ws2whsFto>
Subject: [DNSOP] Fwd: [Ext] DNSSEC Strict Mode
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Mar 2021 13:30:10 -0000

In the .se zone dnssec penetration is quite high (approx. 50%). And validation is high in Sweden too, all major ISPs validate.
Government agencies and government owned companies in Sweden are required to sign their zones. Not all do it - yet, but we are working on it.
Our goal is to drive .se to become 100% signed. 

100% signed would mean unsigned zones do not get delegated, going insecure is no longer an option.
I would like the protocol to be able to handle that case. 

The “easy” solution is to require lax-validation. It doesn’t make a zone less secure and allows to transfer zones between operators using different algorithms.


>> On 1 Mar 2021, at 14:14, Joe Abley <jabley@hopcount.ca <mailto:jabley@hopcount.ca>> wrote:
>> Hi Ulrich,
>> On Mar 1, 2021, at 05:43, Ulrich Wisser <ulrich@wisser.se <mailto:ulrich@wisser.se>> wrote:
>>> On 25 Feb 2021, at 16:11, Joe Abley <jabley@hopcount.ca <mailto:jabley@hopcount.ca>> wrote:
>>>> On Feb 25, 2021, at 06:53, Ulrich Wisser <ulrich=40wisser.se@dmarc.ietf.org <mailto:ulrich=40wisser.se@dmarc.ietf.org>> wrote:
>>>>> But this is a real world problem, one that is holding DNSSEC back.
>>>>> If you buy DNS operations the operator will usually tell you what algorithm they use, you have no choice in that.
>>>> This feels like one of those areas where more specificity is needed. "DNS operations" is is over-broad; what you mean, I think, is "if you outsource zone-signing". If you sign yourself and distribute your zone to external DNS operators then you can add and drop vendors without worrying about key rollovers, for example.
>>> Ok, I can be more specific. 
>>> As a small business owner you have no way to move your hosting company to change their DNSSEC configuration. (Besides that you most probably have no idea that it exists.) You should be able to switch hosting providers without thinking about security, a secure transition should be guaranteed by the hosting companies, who can only do it if it is enabled by the protocol.
>> Even this really requires more specificity. What is a "hosting company"?
>> I think a lot of the problems we face with these kinds of scenarios is that various functionally-overlapping industries have sprung up without DNSSEC being much more than an afterthought in the way that products are structured and sold. It's perhaps unremarkable that the mechanics of offering these services are not a great fit.
>> We can try harder and harder to shoe-horn DNSSEC into products that don't easily accommodate it, for sure. However, there's an attendant risk that by doing so all we really achieve is making DNSSEC more operationally complex than it already is, and I think there's an argument that such an outcome would not make it easier to deploy.
>>> As a larger entity you might have compliance requirements for dnssec.
>> [As an entity large enough to pay significant fees for enterprise DNS service, the reality today is that you probably don't use DNSSEC at all.]
>>>> DNSSEC is normally part of a layered set of defences. In such an architecture relaxing one layer for a period in order to fix a problem or avoid a more complicated transition can be a perfectly acceptable answer. Going insecure for a short period in that context is not necessarily a cop-out; it could well be smart thinking.
>>> I totally disagree. When has switching off security ever been a smart option?
>> If security was the only consideration, then nobody would connect anything to a network in the first place.
>>> It is only considered smart because the process of moving is so complex and error prone. 
>>> And that is a “feature” of the protocol design. It’s not a law of nature.
>>> We could change the design to allow for secure transfer.
>> ... and by doing so we could increase the complexity somewhere else.
>> I'm really just pushing back on the idea that going insecure for a planned, controlled period of time is necessarily a terrible idea. I often see these kinds of reactions from people seeing particular security measures as binary options, instead of taking a more holistic and risk-based approach, which is why my knee is jerking (I'm not suggesting that you are one of them).
>> If I rely upon a DNS vendor to sign my zone and I want to change vendors for some business reason, being able to switch easily at the cost of going insecure for 6 hours might be a much better answer than not being able to switch at all, or even having the cost of switching amplified by 100 person-hours of planning, or dealing with the risk of going dark to users downstream of when it turns out that the change triggers another corner-case in Google's code base.
>> To the end-user, I can see why having a protocol element designed to make this easier and avoid the practical need to go insecure seems highly attractive, but we're really just shifting the cost of dealing with what might very well be a somewhat rare corner case to the developers, operators and users of every DNS server that supports DNSSEC. Even if the costs are low in the latter case, I think it's reasonable to say they are non-zero and universal, which means they might not be so low in aggregate.
>> In this context, the determination of what is smart and what is silly seems a little more grey to me than your message ("totally") suggests.
>> Joe