Re: DNSSEC architecture vs reality

Marco Davids <mdavids@forfun.net> Mon, 12 April 2021 15:02 UTC

Return-Path: <mdavids@forfun.net>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1B73C3A215E for <ietf@ietfa.amsl.com>; Mon, 12 Apr 2021 08:02:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=forfun.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BSEFNjXnnTgY for <ietf@ietfa.amsl.com>; Mon, 12 Apr 2021 08:02:07 -0700 (PDT)
Received: from mail-ej1-x635.google.com (mail-ej1-x635.google.com [IPv6:2a00:1450:4864:20::635]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E1A273A2157 for <ietf@ietf.org>; Mon, 12 Apr 2021 08:02:06 -0700 (PDT)
Received: by mail-ej1-x635.google.com with SMTP id x12so8287ejc.1 for <ietf@ietf.org>; Mon, 12 Apr 2021 08:02:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=forfun.net; s=google; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=QR3Qbag63o0JIle5EGITNwUTaZidFos2oJrYpNb+VW0=; b=lKWUG5aaNOHTEU3T1vvK343uje9BCUTkY9+Hyy+FRNK6vHd/6/L9VoBzjM86pbEZzr ifQ/aFYHdcQJFn9+7EtpGLU/0E4OmaZpWrO39G0KrFjLQbApT4atN1Il3rmgLjegSPTF pwXcVpOCsysZiAbRTRzuzKdE9MUj9bGzVfZO0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=QR3Qbag63o0JIle5EGITNwUTaZidFos2oJrYpNb+VW0=; b=nuotOXqxfDcgFt8UH9dVWx+vQ2KGhUncmZUD3Tg8E4sprlcUwf2SMk3GFm3IdRFAwd DDVz0wzNz8Qm0X0g2a6cyejV6sZatIb5asavAxYsyX5PbxrOqCaRSBmr1Wg2RzkeI5+q sbDqJfUknLDEytY/2RfcDdO90mWYO+tuH0RtN2paTNIbD9MYRQzAa5deemYSq6BUJBtC fqCVEfKEYFDqxwI1nOPRMykUnshj5aOHNvTPfUpwCc1i84BaDeCn++JTdU7vHYD1DZ4M euPwu7SVy9PZYN/QJYwq/3dYAvYuxHDqf/7JJXT52EdIsK52MpMA/KATVf975RBWTXed 1Itw==
X-Gm-Message-State: AOAM5326crKsH2tFNUL3E0nWSn0n/cZrlO8h9TlC8nAhgt74V1v/CzXb YsP0PH6fQhHt1QJQmq7B1d2mcQ/h72o+Uw==
X-Google-Smtp-Source: ABdhPJzK7RgQB62mi6zeEwJsivPrnxSbZ3J/FOtld5vOxjoYLIBjd9cfYCL6fxYXsE1KcscgJrsmtQ==
X-Received: by 2002:a17:906:b1c1:: with SMTP id bv1mr27927835ejb.24.1618239724191; Mon, 12 Apr 2021 08:02:04 -0700 (PDT)
Received: from imac2-ziggo.home.forfun.net ([2a02:a212:2682:2400:4d78:cd3d:aabd:f6ed]) by smtp.gmail.com with ESMTPSA id x24sm6988043edr.36.2021.04.12.08.02.03 for <ietf@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 12 Apr 2021 08:02:03 -0700 (PDT)
Subject: Re: DNSSEC architecture vs reality
To: ietf@ietf.org
References: <3593a01f-73f4-7d03-a85b-dff64a8b070e@mtcc.com> <CABrd9STZXonBDvWB7Z36H2mD20Juubc01TUmEvpfWkvJggQVOQ@mail.gmail.com> <ab6bcbf0-646c-9f2d-5f98-fdc3e9ba27bf@mtcc.com> <CABrd9STEqvgexYKTUdFqn1zu=U2+h92_aDS6rM=8xcwibNJM3A@mail.gmail.com> <YHMc54xe1Mnx2U2y@straasha.imrryr.org> <CABrd9SShpOnSpshnMZSag4ZVp6ic5tURFoH9RzT0WCXDHyxgkA@mail.gmail.com> <YHN5ObR0eqea8Mrc@straasha.imrryr.org> <CABrd9SRdw9baHD5-j9nz4Zv5JjfL35TgaTvS787orEyGxZdKzA@mail.gmail.com> <YHOAzeOj1JaGdmsO@straasha.imrryr.org> <5e91c054-5935-df07-e8ba-09cc78f6c950@network-heretics.com> <YHPSP8Kij2K4v7qQ@straasha.imrryr.org> <82c5fcc6-b419-6efb-b682-b5dbb32905e2@network-heretics.com>
From: Marco Davids <mdavids@forfun.net>
Message-ID: <eaecd9b1-0f09-0d57-ddd3-00d90d0e0a88@forfun.net>
Date: Mon, 12 Apr 2021 17:02:02 +0200
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:78.0) Gecko/20100101 Thunderbird/78.9.1
MIME-Version: 1.0
In-Reply-To: <82c5fcc6-b419-6efb-b682-b5dbb32905e2@network-heretics.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-GB
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/Q7WPEmnol4Vd_rxvED591Ugb-Bk>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Apr 2021 15:02:12 -0000

Op 12-04-21 om 14:25 schreef Keith Moore:
> Viktor,
> 
> Thanks for the update. It looks as if progress is indeed being made. 

I second that.

> Now I wonder: what is being done to publicize DNSSEC to try to get wider 
> adoption?

I can only speak for the situation in my country. And there is lot's of 
good vibes there. Quite some awareness and good adoption of DNSSEC in 
the .nl-zone (56% of all .nl domains are signed). On the validation side 
a few of the countries largest ISP's have enabled it:

https://stats.labs.apnic.net/dnssec/NL

The government is also quite committed to stimulating adoption.

Let me (once more) recommend https://en.internet.nl/, a testing-platform 
that we developed within a consortium of stakeholders in the 
Netherlands, both from the private as well as from the public sector. It 
has become quite popular with international spin-offs like 
https://xn--sikkerpnettet-vfb.dk/ !

We're not there yet, but it is certainly not all that bad either!

-- 
Marco Davids