Re: DNSSEC architecture vs reality

Marco Davids <> Mon, 12 April 2021 15:02 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 1B73C3A215E for <>; Mon, 12 Apr 2021 08:02:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id BSEFNjXnnTgY for <>; Mon, 12 Apr 2021 08:02:07 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4864:20::635]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id E1A273A2157 for <>; Mon, 12 Apr 2021 08:02:06 -0700 (PDT)
Received: by with SMTP id x12so8287ejc.1 for <>; Mon, 12 Apr 2021 08:02:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=QR3Qbag63o0JIle5EGITNwUTaZidFos2oJrYpNb+VW0=; b=lKWUG5aaNOHTEU3T1vvK343uje9BCUTkY9+Hyy+FRNK6vHd/6/L9VoBzjM86pbEZzr ifQ/aFYHdcQJFn9+7EtpGLU/0E4OmaZpWrO39G0KrFjLQbApT4atN1Il3rmgLjegSPTF pwXcVpOCsysZiAbRTRzuzKdE9MUj9bGzVfZO0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=QR3Qbag63o0JIle5EGITNwUTaZidFos2oJrYpNb+VW0=; b=nuotOXqxfDcgFt8UH9dVWx+vQ2KGhUncmZUD3Tg8E4sprlcUwf2SMk3GFm3IdRFAwd DDVz0wzNz8Qm0X0g2a6cyejV6sZatIb5asavAxYsyX5PbxrOqCaRSBmr1Wg2RzkeI5+q sbDqJfUknLDEytY/2RfcDdO90mWYO+tuH0RtN2paTNIbD9MYRQzAa5deemYSq6BUJBtC fqCVEfKEYFDqxwI1nOPRMykUnshj5aOHNvTPfUpwCc1i84BaDeCn++JTdU7vHYD1DZ4M euPwu7SVy9PZYN/QJYwq/3dYAvYuxHDqf/7JJXT52EdIsK52MpMA/KATVf975RBWTXed 1Itw==
X-Gm-Message-State: AOAM5326crKsH2tFNUL3E0nWSn0n/cZrlO8h9TlC8nAhgt74V1v/CzXb YsP0PH6fQhHt1QJQmq7B1d2mcQ/h72o+Uw==
X-Google-Smtp-Source: ABdhPJzK7RgQB62mi6zeEwJsivPrnxSbZ3J/FOtld5vOxjoYLIBjd9cfYCL6fxYXsE1KcscgJrsmtQ==
X-Received: by 2002:a17:906:b1c1:: with SMTP id bv1mr27927835ejb.24.1618239724191; Mon, 12 Apr 2021 08:02:04 -0700 (PDT)
Received: from ([2a02:a212:2682:2400:4d78:cd3d:aabd:f6ed]) by with ESMTPSA id x24sm6988043edr.36.2021. for <> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 12 Apr 2021 08:02:03 -0700 (PDT)
Subject: Re: DNSSEC architecture vs reality
References: <> <> <> <> <> <> <> <> <> <> <> <>
From: Marco Davids <>
Message-ID: <>
Date: Mon, 12 Apr 2021 17:02:02 +0200
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:78.0) Gecko/20100101 Thunderbird/78.9.1
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-GB
Content-Transfer-Encoding: 8bit
Archived-At: <>
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 12 Apr 2021 15:02:12 -0000

Op 12-04-21 om 14:25 schreef Keith Moore:
> Viktor,
> Thanks for the update. It looks as if progress is indeed being made. 

I second that.

> Now I wonder: what is being done to publicize DNSSEC to try to get wider 
> adoption?

I can only speak for the situation in my country. And there is lot's of 
good vibes there. Quite some awareness and good adoption of DNSSEC in 
the .nl-zone (56% of all .nl domains are signed). On the validation side 
a few of the countries largest ISP's have enabled it:

The government is also quite committed to stimulating adoption.

Let me (once more) recommend, a testing-platform 
that we developed within a consortium of stakeholders in the 
Netherlands, both from the private as well as from the public sector. It 
has become quite popular with international spin-offs like !

We're not there yet, but it is certainly not all that bad either!

Marco Davids