DNSSEC architecture vs reality (was: Re: Quic: the elephant in the room)

Keith Moore <moore@network-heretics.com> Sun, 11 April 2021 23:57 UTC

Return-Path: <moore@network-heretics.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 749D83A2467 for <ietf@ietfa.amsl.com>; Sun, 11 Apr 2021 16:57:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.917
X-Spam-Level:
X-Spam-Status: No, score=-1.917 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=messagingengine.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id znXfq5rDOqU5 for <ietf@ietfa.amsl.com>; Sun, 11 Apr 2021 16:57:22 -0700 (PDT)
Received: from out3-smtp.messagingengine.com (out3-smtp.messagingengine.com [66.111.4.27]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ED58B3A2464 for <ietf@ietf.org>; Sun, 11 Apr 2021 16:57:21 -0700 (PDT)
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.nyi.internal (Postfix) with ESMTP id 82FD95C0099 for <ietf@ietf.org>; Sun, 11 Apr 2021 19:57:17 -0400 (EDT)
Received: from mailfrontend2 ([10.202.2.163]) by compute3.internal (MEProxy); Sun, 11 Apr 2021 19:57:17 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm2; bh=9db70WgU2Jz2hk2cstZRWlPMBArY3MERo9loBCjum Ks=; b=mVV3BK6UGuibYtsuPEIDHiTwaCLgm1l4x0MMx0K3j5nP/2PsCD1OrUZjR MwM0GDXlfEZubms4GWOY73r606AuANioW5YlZ0siOX6XGzbgxNjZE02miPkqWdjF v1T3Y3vKlYzparixTkII13rVHTxIEC4+LULOTJIY54rgn0CP05LJI0B27nx02pZJ /5S5gutLZshSxgfOtcnmzQ2U+fqgHi3SdJEXx/uYsv+9iicOTvlMbc/RIIcpe/SC VmUYFXIOonNxjntP6JNktb8F4ylUHKFyHTv/5bym8IsaAJplKPXBl5ly6u+ePWDa QIaCTwmENa4VywTx58aPmPIbgFW+g==
X-ME-Sender: <xms:3IxzYFfDQCry_3WQWb7y_h3vJO6lBtyWo-2f40LZinzfMH21ku-w2Q> <xme:3IxzYDNyPfsUj4Dni3amoeg8FqjWdFdue0VbF1PqbFA3_ubYt933BRoXDyVP0CX8h 1DyDcnBpkOLMA>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrudekiedgvdegucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefuvfhfhffkffgfgggjtgfgsehtke ertddtfeejnecuhfhrohhmpefmvghithhhucfoohhorhgvuceomhhoohhrvgesnhgvthif ohhrkhdqhhgvrhgvthhitghsrdgtohhmqeenucggtffrrghtthgvrhhnpeehhfeutdehfe fgfefghfekhefguefgieduueegjeekfeelleeuieffteefueduueenucfkphepvdefrddu vdegrddutddrudejtdenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrih hlfhhrohhmpehmohhorhgvsehnvghtfihorhhkqdhhvghrvghtihgtshdrtghomh
X-ME-Proxy: <xmx:3IxzYOjJJ6Y4sA6IdEe4gLL32_2_oo3fYzWWo4An0BdcXrVyVGc8pA> <xmx:3IxzYO_TGhVbmkf71FeCle6GCNlCv49-Cb-137tfiLh3z3bEO9wW_g> <xmx:3IxzYBu7bPUgs_ygajIua4S2GLvFuW7DbqJzCpJBTKxrYUsSNREGCw> <xmx:3YxzYKNuruyi8xQKPCbdfCbBVgdy-xmdwOlthFqflKV_QvHhvvdoyg>
Received: from [192.168.1.121] (23-124-10-170.lightspeed.knvltn.sbcglobal.net [23.124.10.170]) by mail.messagingengine.com (Postfix) with ESMTPA id BE458108005F for <ietf@ietf.org>; Sun, 11 Apr 2021 19:57:16 -0400 (EDT)
Subject: DNSSEC architecture vs reality (was: Re: Quic: the elephant in the room)
To: ietf@ietf.org
References: <3b25c77d-e721-e86d-6c34-a90039aab0e2@mtcc.com> <CAMm+Lwhi8xwFgZJL7jod2g4urZt_f+dm0tNi+3y1osqOfch2mQ@mail.gmail.com> <3593a01f-73f4-7d03-a85b-dff64a8b070e@mtcc.com> <CABrd9STZXonBDvWB7Z36H2mD20Juubc01TUmEvpfWkvJggQVOQ@mail.gmail.com> <ab6bcbf0-646c-9f2d-5f98-fdc3e9ba27bf@mtcc.com> <CABrd9STEqvgexYKTUdFqn1zu=U2+h92_aDS6rM=8xcwibNJM3A@mail.gmail.com> <YHMc54xe1Mnx2U2y@straasha.imrryr.org> <CABrd9SShpOnSpshnMZSag4ZVp6ic5tURFoH9RzT0WCXDHyxgkA@mail.gmail.com> <YHN5ObR0eqea8Mrc@straasha.imrryr.org> <CABrd9SRdw9baHD5-j9nz4Zv5JjfL35TgaTvS787orEyGxZdKzA@mail.gmail.com> <YHOAzeOj1JaGdmsO@straasha.imrryr.org>
From: Keith Moore <moore@network-heretics.com>
Message-ID: <5e91c054-5935-df07-e8ba-09cc78f6c950@network-heretics.com>
Date: Sun, 11 Apr 2021 19:57:15 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0
MIME-Version: 1.0
In-Reply-To: <YHOAzeOj1JaGdmsO@straasha.imrryr.org>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/K3PfOh1zwAfRm6vbQcbkytZOkaE>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 11 Apr 2021 23:57:26 -0000

On 4/11/21 7:05 PM, Viktor Dukhovni wrote:

> There are of course pros/cons for CT and pros/cons for DNSSEC, but my
> take is that architecturally DNSSEC is better suited for securing the
> typical domain on the public Internet.
Architectural arguments are great, but pragmatically speaking there seem 
to be significant deployment problems with DNSSEC.
> Adoption has been hampered
> difficult KSK enrollment rollover, immaturity of tooling and by habitual
> cynicism from plausibly authoritative voices.

These aren't the problems (except perhaps immaturity of tooling) that 
most immediately come to mind.

Where is the easy to understand guide for how to sign your own RRs or 
zone(s), and to verify that the signing is properly done?

Which registrars provide tools for signing, or do you have to operate 
your own master DNS server in order to do that?

How long does it take for the typical domain name owner to sign their 
RRs for the first time?

What's the ongoing commitment in time for a domain owner to maintain 
DNSSEC for their RRs?

What's the immediate benefit to the signer from signing one's own RRs?   
(Note: if nothing is verifying signatures, the immediate benefit is zero.)

And how do we close these (and doubtless other) gaps?

I'd love for the Internet to be able to make better use of DNSSEC and to 
need to rely less on PKI.  But for all that I love about this idea, I 
don't think this is going to happen until most of these problems are fixed.

Keith

p.s. and I doubt I'm a plausibly authoritative voice on this subject, 
but please don't interpret this as cynicism so much as a genuine desire 
to get people using these tools.