Re: [DNSOP] Waiting for DNSSEC...

Mukund Sivaraman <> Sat, 03 November 2018 04:05 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id C4094130E06 for <>; Fri, 2 Nov 2018 21:05:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id F5Zumz8bxIEe for <>; Fri, 2 Nov 2018 21:05:10 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 4AAE1128A6E for <>; Fri, 2 Nov 2018 21:05:10 -0700 (PDT)
Received: from naina (unknown [IPv6:2001:67c:370:128:65e9:6894:696:c2e5]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id 53C2E32C091A; Sat, 3 Nov 2018 04:05:08 +0000 (UTC)
Date: Sat, 03 Nov 2018 11:05:02 +0700
From: Mukund Sivaraman <>
Message-ID: <20181103040502.GA3562@naina>
References: <>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <>
User-Agent: Mutt/1.10.1 (2018-07-13)
Archived-At: <>
Subject: Re: [DNSOP] Waiting for DNSSEC...
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 03 Nov 2018 04:05:13 -0000

On Fri, Nov 02, 2018 at 02:30:15PM -0400, Viktor Dukhovni wrote:
> [ Was: Fundamental ANAME problems
>   Dropped In-Reply-To:, to ensure a new thread. ]
> On Fri, Nov 02, 2018 at 06:28:52PM +0100, Måns Nilsson wrote:
> > > I'll defer to other people, but it seems to me that anything that depends on
> > > recursive DNS servers being updated isn't a realistic solution.  We're still
> > > waiting for DNSSEC, after all.
> > 
> > Be as pessimistic as you like, but in Sweden, more than 80% of the ISP
> > resolvers validate. The DNS can change, at a sometimes glacial speed,
> > but it does change.
> I rather think that updates DNSSEC-capable software are not the
> bottleneck for DNSSEC.  The real bottleneck is disincentives to
> signing in the form of difficult to use tools, and barriers to KSK
> enrollment and rollover at registrars.
> To move DNSSEC adoption higher, CDS/CDNSKEY/... need to be supported
> by most registries and the signing and key rollover tooling needs
> to become less brittle and more user-friendly.
> Updates of ZSKs are still too manual.  For example, BIND's "auto-dnssec
> maintain" should be able to automatically generate new ZSKs on
> master server from time to time, completely without user intervention.

There is a part-protocol part-tooling issue in DNSSEC. A mistake in
configuration (operator) or software bug (developer) is capable of
making validation of answers unusable (DoS) for a long period of time.

* It takes time to diagnose and find out what the issue is that suddenly
  caused domains to be unresolvable. Whether it is a configuration
  error, or if the signing software had a bug.

* Once the error is diagnosed, if it is a implementation bug, the
  operator's hands are effectively tied in doing anything about it for
  some time as they rely on that particular software
  implementation. Such implementation bugs show themselves randomly. By
  that, I mean once there is a working system that has been tested and
  deployed by an operator, signing bugs show up while in use. I can
  point out at least 2 such major signing bugs in the past year.

* Whether an implementation bug or a configuration bug, caching effects
  mean that records in a zone are unresolvable for at least some time
  (unlike with other protocols such as TLS where a fix immediately takes

However automated DNSSEC has become, such all-or-nothing issues are
still present (as of this year). There may be some implementation
changes recommended to react quickly to such problems.

Even though that sounds negative, I think an end-to-end authentication
system like DNSSEC is necessary in today's world of interference. The
success of DNSSEC that can be recognized today is not that it is in
popular use, but that it is available to be used by anyone who wants it.