Re: DNSSEC architecture vs reality

Patrik Fältström <paf@frobbit.se> Tue, 13 April 2021 08:58 UTC

Return-Path: <paf@frobbit.se>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F24DB3A05AC for <ietf@ietfa.amsl.com>; Tue, 13 Apr 2021 01:58:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.799
X-Spam-Level:
X-Spam-Status: No, score=-2.799 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=frobbit.se
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yqNOVwNNooLW for <ietf@ietfa.amsl.com>; Tue, 13 Apr 2021 01:58:26 -0700 (PDT)
Received: from mail.frobbit.se (mail.frobbit.se [IPv6:2a02:80:3ffe::176]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E7C9D3A0650 for <ietf@ietf.org>; Tue, 13 Apr 2021 01:58:25 -0700 (PDT)
Received: from [169.254.151.238] (unknown [IPv6:2a01:3f0:1:0:685f:6cc1:2698:2250]) by mail.frobbit.se (Postfix) with ESMTPSA id CE19123680; Tue, 13 Apr 2021 10:58:20 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=frobbit.se; s=mail; t=1618304300; bh=RRocC+0qcfYxf+U8NTZ4TbD6aChxyLStQ0VtCg4l/Z0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=P+Klz/6qz/ictHe0zCqhnWnOTEIAjvRROioEwfZQ5qeSs5IGONzQymCEQQ8fbi04S 1cEP3g8w+21DsKqct5TF2dkIqYeVtXd2nHg69Bu7pzrdyXLOCzsx5tgRlMD2WmKGJY /GO4INamNxz3KNmtTOqix5rYj8NyhgdOlGHeqMpM=
From: "Patrik =?utf-8?b?RsOkbHRzdHLDtm0=?=" <paf@frobbit.se>
To: "Andrew McConachie" <andrew@depht.com>
Cc: "Nico Williams" <nico@cryptonector.com>, ietf@ietf.org
Subject: Re: DNSSEC architecture vs reality
Date: Tue, 13 Apr 2021 10:58:19 +0200
X-Mailer: MailMate (1.14r5757)
Message-ID: <8C8A4B56-6B8C-4D53-965C-07CE636E3FB9@frobbit.se>
In-Reply-To: <26BBCA02-AC18-476B-926E-9AC37A7FBBE2@depht.com>
References: <YHN5ObR0eqea8Mrc@straasha.imrryr.org> <CABrd9SRdw9baHD5-j9nz4Zv5JjfL35TgaTvS787orEyGxZdKzA@mail.gmail.com> <YHOAzeOj1JaGdmsO@straasha.imrryr.org> <5e91c054-5935-df07-e8ba-09cc78f6c950@network-heretics.com> <YHPSP8Kij2K4v7qQ@straasha.imrryr.org> <82c5fcc6-b419-6efb-b682-b5dbb32905e2@network-heretics.com> <585D8590-472B-4CBC-8292-5BE85521DD76@gmail.com> <a6545baf-b15e-3690-d7b5-be33c4078e02@mtcc.com> <20210412221435.GV9612@localhost> <0755b70e-cc8e-3404-73cd-51950b3d7e53@mtcc.com> <20210412222748.GW9612@localhost> <26BBCA02-AC18-476B-926E-9AC37A7FBBE2@depht.com>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=_MailMate_CDABA023-36D7-4408-A46D-1FB76985E869_="; micalg=pgp-sha512; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/ValgiHSNs0kYKllwEE_hBdYNeR4>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Apr 2021 08:58:31 -0000

On 13 Apr 2021, at 10:46, Andrew McConachie wrote:

> My point is that if people want to see HTTPS/DANE deployments grow they should start hacking HTTPS/DANE validation into the numerous open source projects that act as HTTPS clients.

I see two issues with HTTPS/DANE (and DNSSEC):

1. People in the community have too much focused on getting zones signed instead of getting validation deployed. In Sweden we focused in validation, and as validation is happening basically everywhere, it is worth it to get their zones signed.

My conclusion: Continue to talk about _validation_.

2. libCurl is used basically everywhere and some efforts have been done to add DANE, but nothing really finished. <https://curl.se/docs/todo.html#Support_DANE>

My conclusion: Convince someone with more time than me to actually finish the work.

    Patrik