Re: DNSSEC architecture vs reality

Patrik Fältström <paf@frobbit.se> Tue, 13 April 2021 10:20 UTC

Return-Path: <paf@frobbit.se>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BE2813A040F for <ietf@ietfa.amsl.com>; Tue, 13 Apr 2021 03:20:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.799
X-Spam-Level:
X-Spam-Status: No, score=-2.799 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=frobbit.se
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c9sgANM_lkjG for <ietf@ietfa.amsl.com>; Tue, 13 Apr 2021 03:20:42 -0700 (PDT)
Received: from mail.frobbit.se (mail.frobbit.se [85.30.129.185]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 57AEE3A03FB for <ietf@ietf.org>; Tue, 13 Apr 2021 03:20:42 -0700 (PDT)
Received: from [169.254.195.253] (unknown [IPv6:2a01:3f0:1:0:685f:6cc1:2698:2250]) by mail.frobbit.se (Postfix) with ESMTPSA id EAD8D2009C for <ietf@ietf.org>; Tue, 13 Apr 2021 12:20:39 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=frobbit.se; s=mail; t=1618309240; bh=8xtHtC+MywJKQBCBWuD6g9kg8XVPa45u8wSra8YX5Qo=; h=From:To:Subject:Date:In-Reply-To:References:From; b=R36GNHAlQOAfGoTJYMXjzJzfFcIGgGcSoxjYOMIe8Migql27uYqtbSw2TUNQTLtoF UqymsUgr4vO7itNVcjd7E8X3TpAjs3gc3QkD3Rhtnvk+wdPuH4ARrTE6NQmQLXueOC R9iyCFpYRAvzcC0ZTLqTG4Pzv4VMkrTFLzC/SZX0=
From: "Patrik =?utf-8?b?RsOkbHRzdHLDtm0=?=" <paf@frobbit.se>
To: "The IETF List" <ietf@ietf.org>
Subject: Re: DNSSEC architecture vs reality
Date: Tue, 13 Apr 2021 12:20:39 +0200
X-Mailer: MailMate (1.14r5757)
Message-ID: <2041F13F-22F0-4704-B41E-A326DD6F84BF@frobbit.se>
In-Reply-To: <5DFC979A-7641-49B2-A2F4-81F737790C6D@cisco.com>
References: <YHN5ObR0eqea8Mrc@straasha.imrryr.org> <CABrd9SRdw9baHD5-j9nz4Zv5JjfL35TgaTvS787orEyGxZdKzA@mail.gmail.com> <YHOAzeOj1JaGdmsO@straasha.imrryr.org> <5e91c054-5935-df07-e8ba-09cc78f6c950@network-heretics.com> <YHPSP8Kij2K4v7qQ@straasha.imrryr.org> <82c5fcc6-b419-6efb-b682-b5dbb32905e2@network-heretics.com> <585D8590-472B-4CBC-8292-5BE85521DD76@gmail.com> <a6545baf-b15e-3690-d7b5-be33c4078e02@mtcc.com> <20210412221435.GV9612@localhost> <0755b70e-cc8e-3404-73cd-51950b3d7e53@mtcc.com> <20210412222748.GW9612@localhost> <26BBCA02-AC18-476B-926E-9AC37A7FBBE2@depht.com> <8C8A4B56-6B8C-4D53-965C-07CE636E3FB9@frobbit.se> <5DFC979A-7641-49B2-A2F4-81F737790C6D@cisco.com>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=_MailMate_7001CF87-BCA8-4E42-996E-D45A4618E663_="; micalg=pgp-sha512; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/SDEfCe-0ygakfjcL7jXnZ8RvDZA>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Apr 2021 10:20:47 -0000

On 13 Apr 2021, at 11:56, Eliot Lear wrote:

> The opendnssec team did a phenomenal job, only to be thwarted by secondary servers and amplification attack concerns.

One more thing....the OpenDNSSEC design did not really take key rollover and the need for interaction and/or integration in the registrar/registry (epp) flow of data. So actual deployment in operational environments was not trivial.

Today, with better support for management of DS inbound in a signed zone, this is not as big as a problem as it was. Specifically as the need for rolling KSK is also questioned. As long as you CAN roll the KSK.

   Patrik