Re: snarls in real life

Viktor Dukhovni <> Thu, 22 April 2021 00:23 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id EF2613A3CD3 for <>; Wed, 21 Apr 2021 17:23:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Wu1Seh8peTUt for <>; Wed, 21 Apr 2021 17:23:54 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 504983A3CD0 for <>; Wed, 21 Apr 2021 17:23:54 -0700 (PDT)
Received: from [] (unknown []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id E19E1C138C for <>; Wed, 21 Apr 2021 20:23:52 -0400 (EDT)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.\))
Subject: Re: snarls in real life
From: Viktor Dukhovni <>
In-Reply-To: <>
Date: Wed, 21 Apr 2021 20:23:52 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <> <> <> <YIC5jFjv/> <>
X-Mailer: Apple Mail (2.3654.
Archived-At: <>
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 22 Apr 2021 00:23:59 -0000

> On Apr 21, 2021, at 8:00 PM, Bron Gondwana <> wrote:
> That's you - you're an expert in this field.  Most people aren't.  And yet - as you mention,
> you had a bug with automated re-signing failing and had to add monitoring.

No, I did not have to add monitoring, the monitoring came first!
If it isn't monitored, it is not a critical service.  I never had
an outage, just had to fix some long ago resolved bugs.

> Also, I suspect that the content of your zone is managed by... you.

The zone content is largely irrelevant for signing, DNSSEC signing
just covers whatever is found in the zone.

> Extrapolating from that to assume that everyone else in the world will have
> the same experience... maybe the tooling has become heaps better than when
> we looked in 2016, but the list of DNSSEC failures hasn't exactly trickled
> to zero - in the year 2021 being a nice example case.

The tool has gotten heaps better, but some folks haven't upgraded, and have
poor operational discipline.  They likely have many other failures that
people just don't write about, because they're less popular punching bags
than DNSSEC.  It takes just a grain of competence and attention to detail,
as with any production technology.  What doesn't work is neglect, and that
also goes for unsigned DNS, with parent NS records going stale, replication
failing, ...

I am suggesting that Google can easily do DNSSEC for, they likely
face non-trivial adoption barriers with global DNSSEC load-balancing, and
other specialised tech.  I am just saying the old excuses are tired out, we
can and should move on.