Re: DNSSEC architecture vs reality (was: Re: Quic: the elephant in the room)

Michael Thomas <mike@mtcc.com> Mon, 12 April 2021 00:12 UTC

Return-Path: <mike@fresheez.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E14F83A24D8 for <ietf@ietfa.amsl.com>; Sun, 11 Apr 2021 17:12:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.75
X-Spam-Level:
X-Spam-Status: No, score=-1.75 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mtcc.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IKa7qVMlWqsC for <ietf@ietfa.amsl.com>; Sun, 11 Apr 2021 17:11:57 -0700 (PDT)
Received: from mail-pg1-x52b.google.com (mail-pg1-x52b.google.com [IPv6:2607:f8b0:4864:20::52b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 699193A24D6 for <ietf@ietf.org>; Sun, 11 Apr 2021 17:11:57 -0700 (PDT)
Received: by mail-pg1-x52b.google.com with SMTP id t22so8065484pgu.0 for <ietf@ietf.org>; Sun, 11 Apr 2021 17:11:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mtcc.com; s=fluffulence; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-transfer-encoding:content-language; bh=DLd3raUoOB/ihvRh6eQIWWGtoG5eiYZj/HZSKnKi3HY=; b=YvVf+0wr1rYfmKtod4WslZj74jp9iYEnjyQXuTJwiz1oClGDjclayhxgNe3CAJo3et WulE3/+aKXzgKCf/NUBfFJrJeWEaLCI+PJFGaIoA8RK6LHheotTg+WsX1yBRUsy1eGdx q7L3xMPoggr4NDiH8f5Z/o9Vin8GFMhQeq5Ad/JGB7OtgLqto9xcuNBAJ/ms4wRsVAFa EPI3XOEwAidjUjbFW2WetZfDC2Ue9zs8abNydfybUyvUAkMY3RAYSBHBQK25auajwtvq j4hLZw8abzd3JMH7wTQGtZkvVBhxk2M9Ia7fdzRfqa0YP3DtjLkg1TwsOvYmL5RR1/Wc J6Yg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding :content-language; bh=DLd3raUoOB/ihvRh6eQIWWGtoG5eiYZj/HZSKnKi3HY=; b=iCe/SsgHVZ3aT10Zn2Fqw45p9adzpUBvfKYMSrNXAwA2J5Ar3P5AjYrI9lujWRqPtg euCljaknHnXmqR4VTfms3l9wq0hkWK/Zrc4/g93QM3B3nJlO9cuBFAVlLLu6gr0uqsrj lZbVQ+mNhvxaPsy42uaanSuaB/9UBW652QWRaUou/XT47npGNgfqA1qwtcavLkLLSCOC gCyG/r55p4k3Qap2gL3vDOzQwwJ/TmraiUTUxifVY9rmHXY7G8eXPXshhTplBagehOlp Hv4vMC1ZnetIBCDZRQxIhrbFvhuN/ZfvUyDFjl2T48njtqfzPose42NBkcu2+T3lvLpK 0AWQ==
X-Gm-Message-State: AOAM532c6rIz1WXi6Uoi5zxUq6vTWeeTB5/bNSMtJnaDwuSAQXf49UFW gRF2S1+FL3ky3AwUk4xcOWzeAl6fLRk/yg==
X-Google-Smtp-Source: ABdhPJwiSD0zVtCXqCAt9uHZqzA0NFeYAuSNft6c4y8hSngLdyucYwMk4Xm+TM8Hp+g1FDDiOab4Jg==
X-Received: by 2002:a62:160c:0:b029:20a:7b41:f10f with SMTP id 12-20020a62160c0000b029020a7b41f10fmr21970525pfw.67.1618186315872; Sun, 11 Apr 2021 17:11:55 -0700 (PDT)
Received: from mike-mac.lan (107-182-38-56.volcanocom.com. [107.182.38.56]) by smtp.gmail.com with ESMTPSA id b23sm5985374pjh.5.2021.04.11.17.11.54 for <ietf@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 11 Apr 2021 17:11:55 -0700 (PDT)
Subject: Re: DNSSEC architecture vs reality (was: Re: Quic: the elephant in the room)
To: ietf@ietf.org
References: <3b25c77d-e721-e86d-6c34-a90039aab0e2@mtcc.com> <CAMm+Lwhi8xwFgZJL7jod2g4urZt_f+dm0tNi+3y1osqOfch2mQ@mail.gmail.com> <3593a01f-73f4-7d03-a85b-dff64a8b070e@mtcc.com> <CABrd9STZXonBDvWB7Z36H2mD20Juubc01TUmEvpfWkvJggQVOQ@mail.gmail.com> <ab6bcbf0-646c-9f2d-5f98-fdc3e9ba27bf@mtcc.com> <CABrd9STEqvgexYKTUdFqn1zu=U2+h92_aDS6rM=8xcwibNJM3A@mail.gmail.com> <YHMc54xe1Mnx2U2y@straasha.imrryr.org> <CABrd9SShpOnSpshnMZSag4ZVp6ic5tURFoH9RzT0WCXDHyxgkA@mail.gmail.com> <YHN5ObR0eqea8Mrc@straasha.imrryr.org> <CABrd9SRdw9baHD5-j9nz4Zv5JjfL35TgaTvS787orEyGxZdKzA@mail.gmail.com> <YHOAzeOj1JaGdmsO@straasha.imrryr.org> <5e91c054-5935-df07-e8ba-09cc78f6c950@network-heretics.com>
From: Michael Thomas <mike@mtcc.com>
Message-ID: <f053b407-0fc4-37dc-c800-2cf26fe9cbd1@mtcc.com>
Date: Sun, 11 Apr 2021 17:11:54 -0700
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.9.0
MIME-Version: 1.0
In-Reply-To: <5e91c054-5935-df07-e8ba-09cc78f6c950@network-heretics.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/BT_agqPf4Z9CGV2Qu8iHTr2HryU>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Apr 2021 00:12:02 -0000

On 4/11/21 4:57 PM, Keith Moore wrote:
>
>
> What's the immediate benefit to the signer from signing one's own 
> RRs?   (Note: if nothing is verifying signatures, the immediate 
> benefit is zero.)

If a major browser vendor started using it to their advantage for faster 
session startup, you're now creating a reason to deploy. DNS manifestly 
works well enough in its "trust but verify" mode with webpki, but if you 
change some external things like speeding up serving up ads, etc 
hopefully ears will perk up.

Half of the battle with standards is answering the question "why should 
i care" with things that involve $$$.

Mike