Re: snarls in real life

Bron Gondwana <brong@fastmailteam.com> Thu, 22 April 2021 00:01 UTC

Return-Path: <brong@fastmailteam.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D3AA43A3C30 for <ietf@ietfa.amsl.com>; Wed, 21 Apr 2021 17:01:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.799
X-Spam-Level:
X-Spam-Status: No, score=-2.799 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fastmailteam.com header.b=gPUZbE2F; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=tmI87QLK
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 39btuypUhEZF for <ietf@ietfa.amsl.com>; Wed, 21 Apr 2021 17:01:26 -0700 (PDT)
Received: from wout3-smtp.messagingengine.com (wout3-smtp.messagingengine.com [64.147.123.19]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A0FDD3A3C27 for <ietf@ietf.org>; Wed, 21 Apr 2021 17:01:26 -0700 (PDT)
Received: from compute2.internal (compute2.nyi.internal [10.202.2.42]) by mailout.west.internal (Postfix) with ESMTP id B0ADB10C7 for <ietf@ietf.org>; Wed, 21 Apr 2021 20:01:19 -0400 (EDT)
Received: from imap42 ([10.202.2.92]) by compute2.internal (MEProxy); Wed, 21 Apr 2021 20:01:19 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= fastmailteam.com; h=mime-version:message-id:in-reply-to :references:date:from:to:subject:content-type; s=fm2; bh=M27EGuS 3T/pefnPvQIRB7vZtfNSkDAsxkbTRUj4bLME=; b=gPUZbE2FkRjo6NHECYST453 A98FX9pxNoMkJH9BVo/nIRTa10+GFJJ4y0j+BHaHp26laXXHTAnLfiIDUpmKBgmr /eZYitsDoup5SuY8v4wzp0sUL9L4BB/ohgSiQh3tvJXAaDjjaR7gCZihQl2F38iC CRGaIP7hrWqvldS0fW6Rb9OQr78cbOvs0UPFfAHwRYzaEOmQZ7Q4vt4wJ1wdVV4o vomcY/B1z4Vx1uapGq2GHzgivc0UxyykQV/Lqnj83Uq5C1qRD9UX8Qlf+1d78mvw p29ZZdD4CRNqtee13zZ+OK1c3zjKZRFbCiEGOBthDFJ8UNfZXN17gPPqf50H+fQ= =
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=M27EGu S3T/pefnPvQIRB7vZtfNSkDAsxkbTRUj4bLME=; b=tmI87QLKeO9Fxjn8ORAtIZ pB/986blAmI/Mz27gW9U118lYfIpsJbVhudqmfANZRw3tE/AVQM0Xf4ekteqyqwu fxOUHNpH6OPlOrhTDZ1pr3hf4U644j3RsF/Hl78YvZnxzDm42G7dV/VYoBytsols P4i4uly6wW7IlJW4dyGkSIfmVFL7qtEOycA9MOzb/VurjQNmYX1oUGVoj8dvGFXG vdGbth4BmrmWMaEde6Q7+ZBp0yb5wnLKJEyYSRPnzwxlsAZUeO+3ounvGMXhyH6F ojpIeEp8PmLrDsYnhCAiHxK4jiK4LEA3hUK91wqv37gsU+F0M3J36o1nBLhD5U5A ==
X-ME-Sender: <xms:z7yAYN2BMy60lJ6UeteCZEXa_1zyvEGbO-GJTUmfpjAk1VyYdyQ6nQ> <xme:z7yAYEH1TJiFZ2KpIIS_S6rar4-CnemYlUsFmmICp5vTLWVyz9GfDNRLwQx1-YZU7 aAu1bpObH4>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrvddtledgvdekucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefofgggkfgjfhffhffvufgtsegrtd erreerredtnecuhfhrohhmpedfuehrohhnucfiohhnugifrghnrgdfuceosghrohhnghes fhgrshhtmhgrihhlthgvrghmrdgtohhmqeenucggtffrrghtthgvrhhnpeevkedtiefhke efgeeiudevudethffgjefftdehhfeuieekleehffdvkeekvdekveenucffohhmrghinhep nhgrnhhoghdrohhrghenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrih hlfhhrohhmpegsrhhonhhgsehfrghsthhmrghilhhtvggrmhdrtghomh
X-ME-Proxy: <xmx:z7yAYN4qaWpFT-4piQOHFQ0cZ06rQHyorCl6ZXGVWj2crb1BVuj-_A> <xmx:z7yAYK0g1hjl-TqLmTrpnVmVtxmfHKivw2U2ry1S6z6a9zq5k9XY6g> <xmx:z7yAYAEcR1ZV7S-bWmI7289CJT7gC2CBHB1Qu5QCfCqxxQhbi16NPA> <xmx:z7yAYERrjYbK3E_7qpAf-oO3LC7Nh8voJz7NnhphAoCUAAek4bRx6A>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 19B09310005D; Wed, 21 Apr 2021 20:01:19 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.5.0-alpha0-625-g0392165453-fm-ubox-20210419.003-g03921654
Mime-Version: 1.0
Message-Id: <efacee7c-bb7d-4861-9037-4c122d3e28ca@dogfood.fastmail.com>
In-Reply-To: <YIC5jFjv/Q7ehujw@straasha.imrryr.org>
References: <93fedaa0-5ad0-dcc0-ff01-43b8e1c97989@mtcc.com> <19f2b2e1-6365-480a-86f2-111377cac2de@www.fastmail.com> <7c77e401-4703-3921-d15d-6d69b74df488@mtcc.com> <914f3492-d56b-40ca-b7e0-bbbc65603dfa@dogfood.fastmail.com> <YIC5jFjv/Q7ehujw@straasha.imrryr.org>
Date: Thu, 22 Apr 2021 10:00:58 +1000
From: "Bron Gondwana" <brong@fastmailteam.com>
To: ietf@ietf.org
Subject: Re: snarls in real life
Content-Type: multipart/alternative; boundary=e5218f4408514562b6644c98e5b4f119
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/HEQHgQxdGBKgHQqKrcnu9l9-i6U>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Apr 2021 00:01:32 -0000

On Thu, Apr 22, 2021, at 09:47, Viktor Dukhovni wrote:
> My domain has been signed since 2014 without any disruptions, with just
> a modest monitoring script that has alerted me to pendign expiration
> (automated re-signing wasn't kicking in) a couple of times, well before
> the signatures expired.  The bugs that resulted in resigning not
> happening have been fixed for some time, and I don't have to expend any
> energy to keep DNSSEC running, it just works.

That's you - you're an expert in this field.  Most people aren't.  And yet - as you mention, you had a bug with automated re-signing failing and had to add monitoring.

Also, I suspect that the content of your zone is managed by... you.

Extrapolating from that to assume that everyone else in the world will have the same experience... maybe the tooling has become heaps better than when we looked in 2016, but the list of DNSSEC failures hasn't exactly trickled to zero - cdc.gov in the year 2021 being a nice example case:

https://mailman.nanog.org/pipermail/nanog/2021-January/211507.html

Bron.

--
  Bron Gondwana, CEO, Fastmail Pty Ltd
  brong@fastmailteam.com