Re: [DNSOP] How Slack didn't turn on DNSSEC

Paul Vixie <paul@redbarn.org> Wed, 01 December 2021 21:19 UTC

Return-Path: <paul@redbarn.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8424C3A0B22 for <dnsop@ietfa.amsl.com>; Wed, 1 Dec 2021 13:19:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.951
X-Spam-Level:
X-Spam-Status: No, score=-3.951 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-1.852, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=redbarn.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y0CWm-RzHC7f for <dnsop@ietfa.amsl.com>; Wed, 1 Dec 2021 13:19:09 -0800 (PST)
Received: from util.redbarn.org (util.redbarn.org [24.104.150.212]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 835803A0B21 for <dnsop@ietf.org>; Wed, 1 Dec 2021 13:19:08 -0800 (PST)
Received: from family.redbarn.org (family.redbarn.org [24.104.150.213]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by util.redbarn.org (Postfix) with ESMTPS id DCFD51B242A for <dnsop@ietf.org>; Wed, 1 Dec 2021 21:19:06 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=redbarn.org; s=util; t=1638393546; bh=yzrHPXh/WM9Dxr50dCc+KMiWjWD3+4hMWlLo9iKLU1g=; h=Subject:To:References:From:Date:In-Reply-To; b=E26kUjAnJprlgyotwj11BO2L1FbyagrQ5MWel6WReV+sxpo8Y7xfbGvlRq/WZgHXi 7lPQ+Fo7IA2T0dBa6g5SzpFz1djUtCK4mtfEitbk6/fDI6KXTcLzeIXf+k1vimiJgH zRScz4B+Sp4OIdSYOhmnLxxLI6zqEpw7JxC6zwws=
Received: from [IPv6:2001:559:8000:c9:3129:49f8:14c7:f25d] (unknown [IPv6:2001:559:8000:c9:3129:49f8:14c7:f25d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by family.redbarn.org (Postfix) with ESMTPSA id B897D7597E for <dnsop@ietf.org>; Wed, 1 Dec 2021 21:19:06 +0000 (UTC)
To: dnsop@ietf.org
References: <20211130183809.04E8230CA390@ary.qy> <3F49C6AE-D270-4EF5-996B-26B808753350@dukhovni.org> <20211201184909.32rsf3aopxpedh2j@crankycanuck.ca> <D6858547-9D32-4990-807F-01C22F2B8B3C@rfc1035.com> <E6A484B5-4276-4CA6-B441-43A8AD4D36AA@dukhovni.org>
From: Paul Vixie <paul@redbarn.org>
Message-ID: <dc10891c-8e4e-31bd-bab1-57ae36c2b3d9@redbarn.org>
Date: Wed, 01 Dec 2021 13:19:05 -0800
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 PostboxApp/7.0.52
MIME-Version: 1.0
In-Reply-To: <E6A484B5-4276-4CA6-B441-43A8AD4D36AA@dukhovni.org>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/u1Lilg5ALiB97o9SdF1rJ-tf2OY>
Subject: Re: [DNSOP] How Slack didn't turn on DNSSEC
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Dec 2021 21:19:16 -0000


Viktor Dukhovni wrote on 2021-12-01 13:06:
>> ...
> 
> ...
> 
> But I also don't agree with Paul that one needs to be an expert to play
> the game.  Tools are improving, and spinning up working DNSSEC with Knot,
> BIND 9.16+, ... is increasingly easier.
> 
> ...
with DNSSEC For Humans, we (ISC, at the time) made BIND9 as automatic 
and as user friendly as could be done with regard to DNSSEC operations. 
other implementations did likewise, especially including OpenDNSSEC.

and if you're an enterprise or hobbyist, that's quite good enough (no 
wizards are needed).

but if you're Slack or similar (cloud provider, ISP, MSSP, social 
network, xAAS provider), no automation will ever be good enough by 
itself (wizards will be needed.)

vixie

-- 
Sent from Postbox
<https://www.postbox-inc.com/?utm_source=email&utm_medium=siglink&utm_campaign=reach>