Re: DNSSEC architecture vs reality

Nico Williams <nico@cryptonector.com> Tue, 13 April 2021 01:41 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E4C263A098C for <ietf@ietfa.amsl.com>; Mon, 12 Apr 2021 18:41:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.118
X-Spam-Level:
X-Spam-Status: No, score=-2.118 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cryptonector.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 02Q-6YgUQsRI for <ietf@ietfa.amsl.com>; Mon, 12 Apr 2021 18:41:12 -0700 (PDT)
Received: from gainsboro.apple.relay.mailchannels.net (gainsboro.apple.relay.mailchannels.net [23.83.208.65]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 65ABB3A098B for <ietf@ietf.org>; Mon, 12 Apr 2021 18:41:12 -0700 (PDT)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 2D56E7E2C70; Tue, 13 Apr 2021 01:41:11 +0000 (UTC)
Received: from pdx1-sub0-mail-a84.g.dreamhost.com (100-96-27-157.trex.outbound.svc.cluster.local [100.96.27.157]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id BAE877E2E2B; Tue, 13 Apr 2021 01:41:10 +0000 (UTC)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from pdx1-sub0-mail-a84.g.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384) by 100.96.27.157 (trex/6.1.1); Tue, 13 Apr 2021 01:41:11 +0000
X-MC-Relay: Good
X-MailChannels-SenderId: dreamhost|x-authsender|nico@cryptonector.com
X-MailChannels-Auth-Id: dreamhost
X-Trade-Thoughtful: 0643590855a27b10_1618278071015_3252195826
X-MC-Loop-Signature: 1618278071015:1787856954
X-MC-Ingress-Time: 1618278071015
Received: from pdx1-sub0-mail-a84.g.dreamhost.com (localhost [127.0.0.1]) by pdx1-sub0-mail-a84.g.dreamhost.com (Postfix) with ESMTP id 7796E85932; Mon, 12 Apr 2021 18:41:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=c7jv0WRnjXJsLJ zkVhD4HSm0YN8=; b=Afl/wYp+M+eIiVX36YQmcHVmKq7j6aa54pzMVxg0Vdcskf DsG114PAM6l9okc6xvrjrPFUKRbzOLBseqybj6e7XMLacd5sEmXAjMOBfzEBa9LP 6SLDzU44/+hTY9QWn0ySW854mp0stfyb6PPXoo04dikEyBnMPw10/9K2nrAVo=
Received: from localhost (unknown [24.28.108.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by pdx1-sub0-mail-a84.g.dreamhost.com (Postfix) with ESMTPSA id 8C54F7E63F; Mon, 12 Apr 2021 18:41:05 -0700 (PDT)
Date: Mon, 12 Apr 2021 20:41:02 -0500
X-DH-BACKEND: pdx1-sub0-mail-a84
From: Nico Williams <nico@cryptonector.com>
To: Michael Thomas <mike@mtcc.com>
Cc: John C Klensin <john-ietf@jck.com>, ietf@ietf.org
Subject: Re: DNSSEC architecture vs reality
Message-ID: <20210413014101.GE9612@localhost>
References: <585D8590-472B-4CBC-8292-5BE85521DD76@gmail.com> <a6545baf-b15e-3690-d7b5-be33c4078e02@mtcc.com> <20210412221435.GV9612@localhost> <0755b70e-cc8e-3404-73cd-51950b3d7e53@mtcc.com> <20210412222748.GW9612@localhost> <b0a43f25-c4c2-9f3c-1a42-426a6ef6afa0@mtcc.com> <5F7F84363A52E9AB79CBF9B2@PSB> <06a8c3ef-3cd0-e287-b749-d874d9217ecf@mtcc.com> <D871236156E274EABD68A85D@PSB> <f435cc1c-0586-18e9-54d4-1d3a78d2829e@mtcc.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <f435cc1c-0586-18e9-54d4-1d3a78d2829e@mtcc.com>
User-Agent: Mutt/1.9.4 (2018-02-28)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/asB-tYYq7rk7DgMJZtqoIyI6O98>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Apr 2021 01:41:17 -0000

On Mon, Apr 12, 2021 at 06:28:23PM -0700, Michael Thomas wrote:
>           [...]. That's why I think it's a realistic opportunity for
> quic+dane. [...]

I think DANE has great reasons to exist and get deployed.  Critical
pieces could come into place this year of three years from now, though
sooner is better (and, really, before we have a crisis of some sort with
WebPKI).

>     [...]. But finding out that Google doesn't sign their zones is
> disappointing.

Again, that has to do with issues that may have passed now, and it may
be possible to nudge them to sign their zones now.