Re: snarls in real life

Viktor Dukhovni <> Wed, 21 April 2021 23:47 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id CB9AE3A3BC5 for <>; Wed, 21 Apr 2021 16:47:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id vOEiIa5mStBR for <>; Wed, 21 Apr 2021 16:47:25 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 8AFB53A3BC3 for <>; Wed, 21 Apr 2021 16:47:25 -0700 (PDT)
Received: by (Postfix, from userid 1001) id 2B5C2C101F; Wed, 21 Apr 2021 19:47:24 -0400 (EDT)
Date: Wed, 21 Apr 2021 19:47:24 -0400
From: Viktor Dukhovni <>
Subject: Re: snarls in real life
Message-ID: <YIC5jFjv/>
References: <> <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <>
Archived-At: <>
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 21 Apr 2021 23:47:30 -0000

On Thu, Apr 22, 2021 at 08:57:12AM +1000, Bron Gondwana wrote:

> Personally, I'm right in there with indictments on DNSSec in general.  I didn't write this, but I stand by it:
> Rob wrote "DNSSEC is fragile and easy to get wrong in subtle ways."  I
> say that DNSSEC is operational poison - it's hard to get right, easy
> to get wrong, and most importantly hard to debug failures when it
> happens - your users aren't going to be able to report the cause.
> It's theoretically good tech, but it clearly isn't getting traction
> and berating those who choose not to use it doesn't help.

This rehashing of stale and outdated strawman DNSSEC-bashing is neither
necessary nor productive.  Your critique of the assumptions about Google
stands on its merits, without needing to disparage the technical

The tools for managing DNSSEC reliably have gotten substantially better
over the years.  Indeed Google has signed a number of its own domains,
including the .goog TLD and hundreds of thousands of customer domains
they're DNS hosting.  Google are having no problems running one of the
largest DNSSEC operations on the planet.  What they have not done, for
various reasons that are not relevant here is sign or, ...  I can make potentially plausible guess as to why, but
they're not relevant.

> DNSSEC makes things fragile based on the number of big name sites that
> screw it up every year.

Microsoft just had a recent DNS failure without DNSSEC, the major cloud
services have had intermittent outages also unrelated to DNSSEC.  I've
seen no evidence that DNSSEC is particularly more fragile than other
technologies we operate.

> It also makes it much more expensive - DNSSEC is hard to get right and
> hard to keep right.

This is no longer true.  The tools for reliable automated signing and
monitoring thereof have improved substantially.  Only naive seat of
the pants deployments with no monitoring are more fragile.

My domain has been signed since 2014 without any disruptions, with just
a modest monitoring script that has alerted me to pendign expiration
(automated re-signing wasn't kicking in) a couple of times, well before
the signatures expired.  The bugs that resulted in resigning not
happening have been fixed for some time, and I don't have to expend any
energy to keep DNSSEC running, it just works.