Re: [DNSOP] Waiting for DNSSEC...
Mukund Sivaraman <muks@mukund.org> Sat, 03 November 2018 04:05 UTC
Return-Path: <muks@mukund.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C4094130E06 for <dnsop@ietfa.amsl.com>; Fri, 2 Nov 2018 21:05:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F5Zumz8bxIEe for <dnsop@ietfa.amsl.com>; Fri, 2 Nov 2018 21:05:10 -0700 (PDT)
Received: from mail.banu.com (mail.banu.com [46.4.129.225]) by ietfa.amsl.com (Postfix) with ESMTP id 4AAE1128A6E for <dnsop@ietf.org>; Fri, 2 Nov 2018 21:05:10 -0700 (PDT)
Received: from naina (unknown [IPv6:2001:67c:370:128:65e9:6894:696:c2e5]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.banu.com (Postfix) with ESMTPSA id 53C2E32C091A; Sat, 3 Nov 2018 04:05:08 +0000 (UTC)
Date: Sat, 03 Nov 2018 11:05:02 +0700
From: Mukund Sivaraman <muks@mukund.org>
To: dnsop@ietf.org
Message-ID: <20181103040502.GA3562@naina>
References: <20181102183015.GH4122@straasha.imrryr.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <20181102183015.GH4122@straasha.imrryr.org>
User-Agent: Mutt/1.10.1 (2018-07-13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/Vc41DmVA9xGRn8y1Jp24IMCqwjM>
Subject: Re: [DNSOP] Waiting for DNSSEC...
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 03 Nov 2018 04:05:13 -0000
On Fri, Nov 02, 2018 at 02:30:15PM -0400, Viktor Dukhovni wrote: > [ Was: Fundamental ANAME problems > Dropped In-Reply-To:, to ensure a new thread. ] > > On Fri, Nov 02, 2018 at 06:28:52PM +0100, Måns Nilsson wrote: > > > > I'll defer to other people, but it seems to me that anything that depends on > > > recursive DNS servers being updated isn't a realistic solution. We're still > > > waiting for DNSSEC, after all. > > > > Be as pessimistic as you like, but in Sweden, more than 80% of the ISP > > resolvers validate. The DNS can change, at a sometimes glacial speed, > > but it does change. > > I rather think that updates DNSSEC-capable software are not the > bottleneck for DNSSEC. The real bottleneck is disincentives to > signing in the form of difficult to use tools, and barriers to KSK > enrollment and rollover at registrars. > > To move DNSSEC adoption higher, CDS/CDNSKEY/... need to be supported > by most registries and the signing and key rollover tooling needs > to become less brittle and more user-friendly. > > Updates of ZSKs are still too manual. For example, BIND's "auto-dnssec > maintain" should be able to automatically generate new ZSKs on > master server from time to time, completely without user intervention. There is a part-protocol part-tooling issue in DNSSEC. A mistake in configuration (operator) or software bug (developer) is capable of making validation of answers unusable (DoS) for a long period of time. * It takes time to diagnose and find out what the issue is that suddenly caused domains to be unresolvable. Whether it is a configuration error, or if the signing software had a bug. * Once the error is diagnosed, if it is a implementation bug, the operator's hands are effectively tied in doing anything about it for some time as they rely on that particular software implementation. Such implementation bugs show themselves randomly. By that, I mean once there is a working system that has been tested and deployed by an operator, signing bugs show up while in use. I can point out at least 2 such major signing bugs in the past year. * Whether an implementation bug or a configuration bug, caching effects mean that records in a zone are unresolvable for at least some time (unlike with other protocols such as TLS where a fix immediately takes effect). However automated DNSSEC has become, such all-or-nothing issues are still present (as of this year). There may be some implementation changes recommended to react quickly to such problems. Even though that sounds negative, I think an end-to-end authentication system like DNSSEC is necessary in today's world of interference. The success of DNSSEC that can be recognized today is not that it is in popular use, but that it is available to be used by anyone who wants it. Mukund
- [DNSOP] Waiting for DNSSEC... Viktor Dukhovni
- Re: [DNSOP] Waiting for DNSSEC... Mukund Sivaraman
- Re: [DNSOP] Waiting for DNSSEC... Tony Finch
- Re: [DNSOP] Waiting for DNSSEC... Petr Špaček