Re: DNSSEC architecture vs reality
Patrik Fältström <paf@frobbit.se> Tue, 13 April 2021 08:58 UTC
Return-Path: <paf@frobbit.se>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F24DB3A05AC for <ietf@ietfa.amsl.com>; Tue, 13 Apr 2021 01:58:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.799
X-Spam-Level:
X-Spam-Status: No, score=-2.799 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=frobbit.se
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yqNOVwNNooLW for <ietf@ietfa.amsl.com>; Tue, 13 Apr 2021 01:58:26 -0700 (PDT)
Received: from mail.frobbit.se (mail.frobbit.se [IPv6:2a02:80:3ffe::176]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E7C9D3A0650 for <ietf@ietf.org>; Tue, 13 Apr 2021 01:58:25 -0700 (PDT)
Received: from [169.254.151.238] (unknown [IPv6:2a01:3f0:1:0:685f:6cc1:2698:2250]) by mail.frobbit.se (Postfix) with ESMTPSA id CE19123680; Tue, 13 Apr 2021 10:58:20 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=frobbit.se; s=mail; t=1618304300; bh=RRocC+0qcfYxf+U8NTZ4TbD6aChxyLStQ0VtCg4l/Z0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=P+Klz/6qz/ictHe0zCqhnWnOTEIAjvRROioEwfZQ5qeSs5IGONzQymCEQQ8fbi04S 1cEP3g8w+21DsKqct5TF2dkIqYeVtXd2nHg69Bu7pzrdyXLOCzsx5tgRlMD2WmKGJY /GO4INamNxz3KNmtTOqix5rYj8NyhgdOlGHeqMpM=
From: Patrik Fältström <paf@frobbit.se>
To: Andrew McConachie <andrew@depht.com>
Cc: Nico Williams <nico@cryptonector.com>, ietf@ietf.org
Subject: Re: DNSSEC architecture vs reality
Date: Tue, 13 Apr 2021 10:58:19 +0200
X-Mailer: MailMate (1.14r5757)
Message-ID: <8C8A4B56-6B8C-4D53-965C-07CE636E3FB9@frobbit.se>
In-Reply-To: <26BBCA02-AC18-476B-926E-9AC37A7FBBE2@depht.com>
References: <YHN5ObR0eqea8Mrc@straasha.imrryr.org> <CABrd9SRdw9baHD5-j9nz4Zv5JjfL35TgaTvS787orEyGxZdKzA@mail.gmail.com> <YHOAzeOj1JaGdmsO@straasha.imrryr.org> <5e91c054-5935-df07-e8ba-09cc78f6c950@network-heretics.com> <YHPSP8Kij2K4v7qQ@straasha.imrryr.org> <82c5fcc6-b419-6efb-b682-b5dbb32905e2@network-heretics.com> <585D8590-472B-4CBC-8292-5BE85521DD76@gmail.com> <a6545baf-b15e-3690-d7b5-be33c4078e02@mtcc.com> <20210412221435.GV9612@localhost> <0755b70e-cc8e-3404-73cd-51950b3d7e53@mtcc.com> <20210412222748.GW9612@localhost> <26BBCA02-AC18-476B-926E-9AC37A7FBBE2@depht.com>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=_MailMate_CDABA023-36D7-4408-A46D-1FB76985E869_="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/ValgiHSNs0kYKllwEE_hBdYNeR4>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Apr 2021 08:58:31 -0000
On 13 Apr 2021, at 10:46, Andrew McConachie wrote:
> My point is that if people want to see HTTPS/DANE deployments grow they should start hacking HTTPS/DANE validation into the numerous open source projects that act as HTTPS clients.
I see two issues with HTTPS/DANE (and DNSSEC):
1. People in the community have too much focused on getting zones signed instead of getting validation deployed. In Sweden we focused in validation, and as validation is happening basically everywhere, it is worth it to get their zones signed.
My conclusion: Continue to talk about _validation_.
2. libCurl is used basically everywhere and some efforts have been done to add DANE, but nothing really finished. <https://curl.se/docs/todo.html#Support_DANE>
My conclusion: Convince someone with more time than me to actually finish the work.
Patrik
- Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Phillip Hallam-Baker
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Ben Laurie
- Re: Quic: the elephant in the room Stephane Bortzmeyer
- Re: Quic: the elephant in the room Ben Laurie
- Re: Quic: the elephant in the room Phillip Hallam-Baker
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Nico Williams
- Re: Quic: the elephant in the room Viktor Dukhovni
- Re: Quic: the elephant in the room Michael Thomas
- Re: DNS vs PKI, was Quic: the elephant in the room John Levine
- Re: DNS vs PKI, was Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Nico Williams
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Nico Williams
- Re: Quic: the elephant in the room Viktor Dukhovni
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Phillip Hallam-Baker
- Re: Quic: the elephant in the room Viktor Dukhovni
- Re: Quic: the elephant in the room Phillip Hallam-Baker
- Re: Quic: the elephant in the room Ben Laurie
- Re: Quic: the elephant in the room Ben Laurie
- Re: Quic: the elephant in the room Ben Laurie
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Viktor Dukhovni
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Nico Williams
- Re: Quic: the elephant in the room Nico Williams
- Re: Quic: the elephant in the room Salz, Rich
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Phillip Hallam-Baker
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Phillip Hallam-Baker
- Re: Quic: the elephant in the room Nico Williams
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Phillip Hallam-Baker
- Re: Quic: the elephant in the room Salz, Rich
- Re: Quic: the elephant in the room Ben Laurie
- Re: Quic: the elephant in the room Ben Laurie
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Viktor Dukhovni
- Re: Quic: the elephant in the room Ben Laurie
- Re: Quic: the elephant in the room Phillip Hallam-Baker
- Re: Quic: the elephant in the room David Conrad
- Re: Quic: the elephant in the room David Conrad
- Re: Quic: the elephant in the room Viktor Dukhovni
- DNSSEC architecture vs reality (was: Re: Quic: th… Keith Moore
- Re: DNSSEC architecture vs reality (was: Re: Quic… Michael Thomas
- Re: Quic: the elephant in the room Nico Williams
- Re: Quic: the elephant in the room Salz, Rich
- Re: Quic: the elephant in the room Nico Williams
- Re: Quic: the elephant in the room Viktor Dukhovni
- Re: Quic: the elephant in the room Phillip Hallam-Baker
- Re: DNSSEC architecture vs reality (was: Re: Quic… Viktor Dukhovni
- Re: Quic: the elephant in the room Andrew McConachie
- Re: DNSSEC architecture vs reality Keith Moore
- Re: DNSSEC architecture vs reality Petite Abeille
- Re: Quic: the elephant in the room Salz, Rich
- Re: Quic: the elephant in the room Salz, Rich
- Re: Quic: the elephant in the room Phillip Hallam-Baker
- Re: DNSSEC architecture vs reality Marco Davids
- Re: Quic: the elephant in the room Phillip Hallam-Baker
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Phillip Hallam-Baker
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Salz, Rich
- Re: Quic: the elephant in the room Phillip Hallam-Baker
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Nico Williams
- Re: Quic: the elephant in the room Viktor Dukhovni
- Re: Quic: the elephant in the room Nico Williams
- Re: Quic: the elephant in the room Viktor Dukhovni
- Re: Quic: the elephant in the room Phillip Hallam-Baker
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Nico Williams
- Re: Quic: the elephant in the room Nico Williams
- Re: Quic: the elephant in the room Viktor Dukhovni
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Salz, Rich
- Re: Quic: the elephant in the room Viktor Dukhovni
- Re: Quic: the elephant in the room Phillip Hallam-Baker
- Re: Quic: the elephant in the room Nico Williams
- Re: Quic: the elephant in the room Salz, Rich
- Re: Quic: the elephant in the room Viktor Dukhovni
- Re: Quic: the elephant in the room Salz, Rich
- Re: DNSSEC architecture vs reality Michael Thomas
- Re: DNSSEC architecture vs reality Nico Williams
- Re: DNSSEC architecture vs reality Michael Thomas
- Re: DNSSEC architecture vs reality Nico Williams
- Re: DNSSEC architecture vs reality Michael Thomas
- Re: DNSSEC architecture vs reality Nico Williams
- Re: DNSSEC architecture vs reality Michael Thomas
- Re: DNSSEC architecture vs reality John C Klensin
- Re: DNSSEC architecture vs reality Keith Moore
- Re: DNSSEC architecture vs reality Michael Thomas
- Re: DNSSEC architecture vs reality Michael Thomas
- Re: DNSSEC architecture vs reality Keith Moore
- Re: DNSSEC architecture vs reality Nico Williams
- Re: DNSSEC architecture vs reality Michael Thomas
- Re: DNSSEC architecture vs reality John C Klensin
- Re: DNSSEC architecture vs reality Keith Moore
- Re: DNSSEC architecture vs reality Michael Thomas
- Re: DNSSEC architecture vs reality Nico Williams
- Re: new RRTYPEs, was DNSSEC architecture vs reali… John Levine
- Re: new RRTYPEs, was DNSSEC architecture vs reali… Mark Andrews
- Re: DNSSEC architecture vs reality Petite Abeille
- Re: DNSSEC architecture vs reality Petite Abeille
- Re: DNSSEC architecture vs reality Andrew McConachie
- Re: DNSSEC architecture vs reality Patrik Fältström
- Re: DNSSEC architecture vs reality Eliot Lear
- Re: DNSSEC architecture vs reality Patrik Fältström
- Re: DNSSEC architecture vs reality Patrik Fältström
- Re: new RRTYPEs, was DNSSEC architecture vs reali… John R Levine
- Re: DNSSEC architecture vs reality Nico Williams
- Re: DNSSEC architecture vs reality Nico Williams
- Re: DNSSEC architecture vs reality Jim Fenton
- Re: DNSSEC architecture vs reality Masataka Ohta
- Re: DNSSEC architecture vs reality Petite Abeille
- Re: new RRTYPEs, was DNSSEC architecture vs reali… Phillip Hallam-Baker
- Re: new RRTYPEs, was DNSSEC architecture vs reali… Nico Williams
- Re: new RRTYPEs, was DNSSEC architecture vs reali… Donald Eastlake
- Re: new RRTYPEs, was DNSSEC architecture vs reali… Phillip Hallam-Baker
- Re: new RRTYPEs, was DNSSEC architecture vs reali… Viktor Dukhovni
- Re: new RRTYPEs, was DNSSEC architecture vs reali… Phillip Hallam-Baker
- Re: new RRTYPEs, was DNSSEC architecture vs reali… Vittorio Bertola
- Re: new RRTYPEs, was DNSSEC architecture vs reali… Phillip Hallam-Baker
- Re: Fwd: Quic: the Elephant in the Room Michael Thomas
- Fwd: Quic: the Elephant in the Room Lars Eggert
- RE: Fwd: Quic: the Elephant in the Room Vasilenko Eduard
- Re: Quic: the elephant in the room Ben Laurie
- Re: Quic: the elephant in the room Phillip Hallam-Baker