Re: DNSSEC architecture vs reality

Patrik Fältström <paf@frobbit.se> Tue, 13 April 2021 10:16 UTC

Return-Path: <paf@frobbit.se>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 879C33A00C4 for <ietf@ietfa.amsl.com>; Tue, 13 Apr 2021 03:16:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=frobbit.se
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ey96kyFwirtn for <ietf@ietfa.amsl.com>; Tue, 13 Apr 2021 03:16:38 -0700 (PDT)
Received: from mail.frobbit.se (mail.frobbit.se [IPv6:2a02:80:3ffe::176]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AAAAA3A00C0 for <ietf@ietf.org>; Tue, 13 Apr 2021 03:16:38 -0700 (PDT)
Received: from [169.254.195.253] (unknown [IPv6:2a01:3f0:1:0:685f:6cc1:2698:2250]) by mail.frobbit.se (Postfix) with ESMTPSA id 081CF20151 for <ietf@ietf.org>; Tue, 13 Apr 2021 12:16:31 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=frobbit.se; s=mail; t=1618308991; bh=AC6zoPffY5lr/1xcIvFXkx8gFQElDrLwk0hbkXVECHs=; h=From:To:Subject:Date:In-Reply-To:References:From; b=rV6l+3hgB9pPlfdv3yb0PG+ha/shFBjZ6lrKsJTEFktd+Ldqb66H4gcj70Y2JjGx4 l3xy/CAPIik60+Y2pZYPqdWuaoiUuiSeNqXLfCuPWxHgnCpW8iqG1V/St7dRxcxG7R 4Tf9c46cZCs2FdfLKHc+uzwN0645RuXEKxWOCi3o=
From: "Patrik =?utf-8?b?RsOkbHRzdHLDtm0=?=" <paf@frobbit.se>
To: "The IETF List" <ietf@ietf.org>
Subject: Re: DNSSEC architecture vs reality
Date: Tue, 13 Apr 2021 12:16:29 +0200
X-Mailer: MailMate (1.14r5757)
Message-ID: <82AAE2BE-4286-4F0F-B122-E387577B54BA@frobbit.se>
In-Reply-To: <5DFC979A-7641-49B2-A2F4-81F737790C6D@cisco.com>
References: <YHN5ObR0eqea8Mrc@straasha.imrryr.org> <CABrd9SRdw9baHD5-j9nz4Zv5JjfL35TgaTvS787orEyGxZdKzA@mail.gmail.com> <YHOAzeOj1JaGdmsO@straasha.imrryr.org> <5e91c054-5935-df07-e8ba-09cc78f6c950@network-heretics.com> <YHPSP8Kij2K4v7qQ@straasha.imrryr.org> <82c5fcc6-b419-6efb-b682-b5dbb32905e2@network-heretics.com> <585D8590-472B-4CBC-8292-5BE85521DD76@gmail.com> <a6545baf-b15e-3690-d7b5-be33c4078e02@mtcc.com> <20210412221435.GV9612@localhost> <0755b70e-cc8e-3404-73cd-51950b3d7e53@mtcc.com> <20210412222748.GW9612@localhost> <26BBCA02-AC18-476B-926E-9AC37A7FBBE2@depht.com> <8C8A4B56-6B8C-4D53-965C-07CE636E3FB9@frobbit.se> <5DFC979A-7641-49B2-A2F4-81F737790C6D@cisco.com>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=_MailMate_343D1ABC-5CAE-4B98-A215-42150D4A3FDC_="; micalg=pgp-sha512; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/3PUnFsvX5Slh46N5v5VTLkXp678>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Apr 2021 10:16:44 -0000

On 13 Apr 2021, at 11:56, Eliot Lear wrote:

> My conclusion: why choose?  Both validation AND signing is a problem, especially if we do not want to encourage market concentration.

Because doing signing is viewed as a cost, and there must be a benefit in doing the signing. This is why validation must come first. The cost is low, and you have to do it in relatively few places (the large access providers). So easier to convince them than the ones that are to start signing zones (which is more work).

   Patrik