IETF Logo Mail Archive

Re: [DNSOP] Fwd: New Version Notification for draft-pan-dnsop-swild-rr-type-00.txt

Mukund Sivaraman <muks@isc.org> Wed, 16 August 2017 06:49 UTC

Return-Path: <muks@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 03D60124217 for <dnsop@ietfa.amsl.com>; Tue, 15 Aug 2017 23:49:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.235
X-Spam-Level:
X-Spam-Status: No, score=-1.235 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_SOFTFAIL=0.665] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YxqMPjiS7HIw for <dnsop@ietfa.amsl.com>; Tue, 15 Aug 2017 23:49:01 -0700 (PDT)
Received: from mail.banu.com (mail.banu.com [IPv6:2a01:4f8:140:644b::225]) by ietfa.amsl.com (Postfix) with ESMTP id 05663120713 for <dnsop@ietf.org>; Tue, 15 Aug 2017 23:49:01 -0700 (PDT)
Received: from jurassic (unknown [115.117.171.76]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.banu.com (Postfix) with ESMTPSA id 3DF6656A014C; Wed, 16 Aug 2017 06:48:58 +0000 (GMT)
Date: Wed, 16 Aug 2017 12:18:55 +0530
From: Mukund Sivaraman <muks@isc.org>
To: Mikael Abrahamsson <swmike@swm.pp.se>
Cc: dnsop <dnsop@ietf.org>
Message-ID: <20170816064855.GB16977@jurassic>
References: <149908054910.760.8140876567010458934.idtracker@ietfa.amsl.com> <CANLjSvU23OPMM=cETxBiV7j8UhMzMd426VuivxAtboMAB0=7jw@mail.gmail.com> <alpine.DEB.2.11.1707031317070.21595@grey.csi.cam.ac.uk> <CANLjSvXE4q9PSEc4txKM4OPKXVpT38N_PC2-fDHmihpk29ahcw@mail.gmail.com> <1197245d-6b9a-3c3b-82a0-dc6a1cc3de58@nic.cz> <CANLjSvVe99q4vtTW0TRopmQ0s9hC8HdMze5B6COs8Y_3unir5w@mail.gmail.com> <CAAiTEH8ntOerB6MGKMS2xcCK3TL9n4fyLq6F+bpUY6oTUpWN8w@mail.gmail.com> <20170816054539.GA12897@jurassic> <alpine.DEB.2.20.1708160816580.3655@uplift.swm.pp.se>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <alpine.DEB.2.20.1708160816580.3655@uplift.swm.pp.se>
User-Agent: Mutt/1.8.3 (2017-05-23)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/d1sy2iTnZRbJX5ZZB_5rDFOGMuw>
Subject: Re: [DNSOP] Fwd: New Version Notification for draft-pan-dnsop-swild-rr-type-00.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Aug 2017 06:49:03 -0000

On Wed, Aug 16, 2017 at 08:21:37AM +0200, Mikael Abrahamsson wrote:
> On Wed, 16 Aug 2017, Mukund Sivaraman wrote:
> 
> > 24 / 500 top domains (4.8%)
> > 20548 / 1 million top domains (2.05%)
> > 
> > (12 years after introduction of 403{3,4,5})
> 
> https://stats.labs.apnic.net/dnssec/XE?o=cXAw1x1g1r1
> 
> 20% of European users is behind a validating resolver, in some countries
> it's 70% plus.
> 
> So this is now happening, albeit at a not high enough pace. But at least
> it's going in the right direction, and I do believe that there is enough
> people behind validating resolvers that people can't mess up signing their
> zone and push away blame on who needs to fix things.
> 
> So at least there is benefit in signing your zone now, there wasn't as much
> before when nobody was validating.

The validating resolver is half of the system.

DNSSEC is brittle. It has an all-or-nothing behavior (that's what it was
designed for) that many businesses cannot afford to bank on if something
were to go wrong. An administrative error or signer software bug on the
authoritative side can take the whole zone down and every service with
it (as DNS is at the head of network activity). Software is still not
perfect, so I don't know how this can change - I see practical signer
bugs still that take down the zone entirely. It's also still painfully
inconvenient to update parent zones, that makes fixing mishaps
difficult. The amount of damage that a break in DNSSEC validation chain
could do is far greater than other implementations of crypto such as TLS
where it is limited to a service.

(Note that I'm not advocating against DNSSEC, as much as this email may
sound so. The things I mention are practical issues that I see as an
implementor.)

A colleague says "If TLD’s allowed UPDATE messages to be processed most
of the issues with DNSSEC would go away. At the moment we have a whole
series of kludges because people are scared of signed update messages."

		Mukund

v2.23.0 | Report a Bug | By Email