IETF Logo Mail Archive

Re: [DNSOP] CDS/CDNSKEY Deployment

Nils Wisiol <nils@desec.io> Fri, 14 January 2022 10:01 UTC

Return-Path: <nils@desec.io>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4D4363A209A; Fri, 14 Jan 2022 02:01:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=a4a.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R0501oq8VksX; Fri, 14 Jan 2022 02:00:58 -0800 (PST)
Received: from mail.a4a.de (mail.a4a.de [IPv6:2a01:4f8:10a:1d5c:8000::8]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3D4613A2094; Fri, 14 Jan 2022 02:00:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=a4a.de; s=20170825; h=Content-Transfer-Encoding:MIME-Version:Content-Type:References: In-Reply-To:Date:Cc:To:From:Subject:Message-ID:Sender:Reply-To:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=tJbotwWiqOJ9QT78Gd1gRNBZn5ERyEq0GUiqYLy/KfM=; b=mveV2IWz5i2MSBgz3M5ZN8i5Ha rQE19ckN1yj3ssqyOwOsDDGJM8ySiUhx+nQ+UR6imRk5AttvVp6nrEwhG2SgFlBDsg78dWmIVMbsM phDpQV3L6pfsWtkgr7rLW0YcC8hgjZ5Qll+ZQiHZjP36uqlpFvKUIdHQ5SFKmGM5+hoOTKHWVSMWW VRVFwt7FlLKiNb50qKJdJllpfa410edop46KN0IGXa49si/eu9Ojv+lGYiwdRpzI9fIHvEGnIu0N/ 3RFwINbqjJ0E2hib4ZzN2ZgZBhzLFcDtyroEh8CbCoR1kMoPCVU9+NTxSvmyH6avnXGVZ8lVcCvRh xd6WjGJw==;
Received: from [2a02:8109:b03f:e20c:b09c:86f1:32f2:efbf] (helo=tp) by mail.a4a.de with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <nils@desec.io>) id 1n8JO9-0000PJ-5U; Fri, 14 Jan 2022 11:00:53 +0100
Message-ID: <f62edbc403779f202421a3689a0bce53735558e7.camel@desec.io>
From: Nils Wisiol <nils@desec.io>
To: Moritz Müller <moritz.muller=40sidn.nl@dmarc.ietf.org>, Daniel Stirnimann <daniel.stirnimann@switch.ch>
Cc: Eric Rescorla <ekr@rtfm.com>, dnsop WG <dnsop@ietf.org>
Date: Fri, 14 Jan 2022 11:00:52 +0100
In-Reply-To: <3CEC66C4-1167-44F9-835B-43C3771BC15E@sidn.nl>
References: <CABcZeBMrRDqgCbNAAL=zjRqNZ-u8orw0G_2Wk5kZjxhR8WKnxw@mail.gmail.com> <eb5b99f1-9e4b-537d-097a-635816458f1b@switch.ch> <75c4bcad-ce70-3d08-8f3a-d123a0603a31@switch.ch> <3CEC66C4-1167-44F9-835B-43C3771BC15E@sidn.nl>
Content-Type: text/plain; charset="UTF-8"
User-Agent: Evolution 3.36.5-0ubuntu1
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/TnaZ-lBrKC8FuoLBJJWHqkZF9Tg>
Subject: Re: [DNSOP] CDS/CDNSKEY Deployment
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Jan 2022 10:01:04 -0000

At desec.io, we automatically sign and deploy CDS/CDNSKEY records for
all zones. Still, of all zones delegated to our name servers, only 53%
are securely delegated. This breaks down into 94% securely delegated
for TLDs that use CDS/CDNSKEY bootstrapping (AFAIK, .ch, .cr, .cz, .li,
.nu, .se, .sk) and 52% for other TLDs.

(Above statistics do not include zones from our own public suffix
dedyn.io, which are automatically securely delegated. Also, some rare
edge cases may not be properly counted.)

Best,
Nils

On Fri, 2022-01-14 at 08:00 +0100, Moritz Müller wrote:
> I’ve supervised an undergraduate student last year, who looked a bit
> into CDS Deployment [1].
> Though he mostly analysed .ch data as well.
> 
> Moritz
> 
> [1] http://essay.utwente.nl/86832/1/van%20Beijnum_BA_EEMCS.pdf
> 
> 
> 
> > On 13 Jan 2022, at 14:14, Daniel Stirnimann <
> > daniel.stirnimann@switch.ch> wrote:
> > 
> > I meant to say "For 2021 we processed".
> > 
> > Still need to get used to typing the new year :-)
> > 
> > Daniel
> > 
> > On 13.01.22 14:11, Daniel Stirnimann wrote:
> > > Hi Eric,
> > > 
> > > Some statistics for .ch/.li which are some of the few TLDs
> > > supporting
> > > CDS/CDNSKEY [1].
> > > 
> > > For 2020 we processed:
> > > 
> > > 189'206  BOOTSTRAP
> > > 518      DELETE
> > > 44'749   ROLLOVER
> > > 
> > > Slide 3 [2] contains some more historical numbers. Context about
> > > the
> > > number of signed delegations in .ch [3].
> > > 
> > > Daniel
> > > 
> > > [1] https://github.com/oskar456/cds-updates/
> > > [2] https://68.schedule.icann.org/meetings/EqJCzT5N6kcZhh2TT
> > > [3] https://www.nic.ch/statistics/dnssec/
> > > 
> > > 
> > > On 13.01.22 04:12, Eric Rescorla wrote:
> > > > Hi folks
> > > > 
> > > > Does anyone have stats on the deployment of CDS and/or CDNSKEY?
> > > > I see
> > > > that Chung et al. report very low deployment in 2017, but maybe
> > > > things
> > > > have changed?
> > > > 
> > 
> > _______________________________________________
> > DNSOP mailing list
> > DNSOP@ietf.org
> > https://www.ietf.org/mailman/listinfo/dnsop
> 
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
-- 
deSEC e.V. · Kyffhäuserstr. 5 · 10781 Berlin · Germany

Vorstandsvorsitz: Nils Wisiol
Registergericht: AG Berlin (Charlottenburg) VR 37525

v2.46.0 | Report a Bug | By Email | System Status