Re: DNSSEC architecture vs reality

Nico Williams <> Mon, 12 April 2021 22:28 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id B06BC3A120E for <>; Mon, 12 Apr 2021 15:28:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.118
X-Spam-Status: No, score=-2.118 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id uSDLyCRZnOd9 for <>; Mon, 12 Apr 2021 15:27:55 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 3E26B3A1213 for <>; Mon, 12 Apr 2021 15:27:55 -0700 (PDT)
X-Sender-Id: dreamhost|x-authsender|
Received: from (localhost []) by (Postfix) with ESMTP id 27D0E542BA6; Mon, 12 Apr 2021 22:27:54 +0000 (UTC)
Received: from (100-98-55-67.trex.outbound.svc.cluster.local []) (Authenticated sender: dreamhost) by (Postfix) with ESMTPA id AA9755430BC; Mon, 12 Apr 2021 22:27:53 +0000 (UTC)
X-Sender-Id: dreamhost|x-authsender|
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384) by (trex/6.1.1); Mon, 12 Apr 2021 22:27:54 +0000
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|
X-MailChannels-Auth-Id: dreamhost
X-Spill-Arithmetic: 010ecc5d43adfeb0_1618266473950_3370681727
X-MC-Loop-Signature: 1618266473950:841111583
X-MC-Ingress-Time: 1618266473950
Received: from (localhost []) by (Postfix) with ESMTP id 5E30E8AAE6; Mon, 12 Apr 2021 15:27:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed;; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to;; bh=DYq8QRGPs/IDjN 1vG738YdcmQaM=; b=urItvcqBoQ2hmxAvj7dMyyOFTpKXOF/C9b9aPKwAzqzISj Akb+OHoSg/TXpPE+YWdhUYpB/o7vNqAQovg2h6Mwov1uhIaAHUVX6IKpkVe2l6XX at8maPiNbeK+l0zVyWGXT16SOYM+xpRlzKyuiWZlCVKjZBC+KSYrSRx6l+bAU=
Received: from localhost (unknown []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: by (Postfix) with ESMTPSA id D23C77E5FC; Mon, 12 Apr 2021 15:27:51 -0700 (PDT)
Date: Mon, 12 Apr 2021 17:27:49 -0500
X-DH-BACKEND: pdx1-sub0-mail-a47
From: Nico Williams <>
To: Michael Thomas <>
Subject: Re: DNSSEC architecture vs reality
Message-ID: <20210412222748.GW9612@localhost>
References: <> <> <> <> <> <> <> <> <20210412221435.GV9612@localhost> <>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.9.4 (2018-02-28)
Archived-At: <>
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 12 Apr 2021 22:28:01 -0000

On Mon, Apr 12, 2021 at 03:17:32PM -0700, Michael Thomas wrote:
> > (1) may have been because of (2), and I believe (2) was because of
> > internal technical and political issues.  I.e., I would not consider it
> > dispositive that Google seemed to like DANE then gave up on it, though
> > that and why they did certainly is germane.
> Yes, that's what I would assume as well. Build it and they will come has a
> sterling track record of failure in IETF.

Building a technical spec is not enough, indeed.  DANE hasn't succeeded
yet, and neither has DNSSEC.  But DANE is starting to gather steam (in
no small part due to Viktor's efforts) in the realm of SMTP.  The fact
that DANE was early for its time doesn't mean that the single root and
unyielding name constraints aren't appealing or appealing enough to make
a more serious try now.

As noted, the tooling for DNSSEC has been substantially improved in
recent years.  Implementations of DANE do exist now.  There are a number
of missing elements, such as a TLS extension to staple DANE that
supports authenticated denial of existence.  We're making progress
though.  It may seem slow, but there may be a preference cascade at some
point.  It may only take enough user-agent, and registrar / domain
hosting services to provide this functionality to make it popular.