Re: DNSSEC architecture vs reality

Jim Fenton <fenton@bluepopcorn.net> Wed, 14 April 2021 00:19 UTC

Return-Path: <fenton@bluepopcorn.net>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C7EBB3A0D00; Tue, 13 Apr 2021 17:19:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=bluepopcorn.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YBuyCMLos_dB; Tue, 13 Apr 2021 17:19:22 -0700 (PDT)
Received: from v2.bluepopcorn.net (v2.bluepopcorn.net [IPv6:2607:f2f8:a994::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 27EC73A0CFE; Tue, 13 Apr 2021 17:19:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=bluepopcorn.net; s=supersize; h=Content-Transfer-Encoding:Content-Type: MIME-Version:References:In-Reply-To:Message-ID:Date:Subject:Cc:To:From:Sender :Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help: List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=XbaYzkCJrbpLYwcqUxP6S9teyBtWSslanx+56Ze3gtE=; b=RBvTThAZtDBJ/Qh13J4GF//ZwQ 7N2VakzJes/eXCS+VqgzCAe/YAMhe7Uw0cR2gYG/DMRaojMLeKg+hj46LxrPIEr7szRz5n+rVMqW5 I6yulpf95wRA0Qd7yy8PR52nEBtNVD3Vpc70r9aKJs9vGR0+ugwjgEjRMAhAcA0irOEI=;
Received: from [2601:647:4400:1261:b538:335d:f895:1804] (helo=[10.10.20.144]) by v2.bluepopcorn.net with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <fenton@bluepopcorn.net>) id 1lWTFU-0001pw-IW; Tue, 13 Apr 2021 17:19:17 -0700
From: "Jim Fenton" <fenton@bluepopcorn.net>
To: "Patrik =?utf-8?b?RsOkbHRzdHLDtm0=?=" <paf=40frobbit.se@dmarc.ietf.org>
Cc: ietf@ietf.org
Subject: Re: DNSSEC architecture vs reality
Date: Tue, 13 Apr 2021 17:19:16 -0700
X-Mailer: MailMate (1.13.2r5673)
Message-ID: <9A092DDE-067C-4A5E-A98D-CCF33ADA49E4@bluepopcorn.net>
In-Reply-To: <8C8A4B56-6B8C-4D53-965C-07CE636E3FB9@frobbit.se>
References: <YHN5ObR0eqea8Mrc@straasha.imrryr.org> <CABrd9SRdw9baHD5-j9nz4Zv5JjfL35TgaTvS787orEyGxZdKzA@mail.gmail.com> <YHOAzeOj1JaGdmsO@straasha.imrryr.org> <5e91c054-5935-df07-e8ba-09cc78f6c950@network-heretics.com> <YHPSP8Kij2K4v7qQ@straasha.imrryr.org> <82c5fcc6-b419-6efb-b682-b5dbb32905e2@network-heretics.com> <585D8590-472B-4CBC-8292-5BE85521DD76@gmail.com> <a6545baf-b15e-3690-d7b5-be33c4078e02@mtcc.com> <20210412221435.GV9612@localhost> <0755b70e-cc8e-3404-73cd-51950b3d7e53@mtcc.com> <20210412222748.GW9612@localhost> <26BBCA02-AC18-476B-926E-9AC37A7FBBE2@depht.com> <8C8A4B56-6B8C-4D53-965C-07CE636E3FB9@frobbit.se>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"; format=flowed
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/muPbQRU6T5Bt_GiFeZJluPUznLM>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Apr 2021 00:19:27 -0000

On 13 Apr 2021, at 1:58, Patrik Fältström wrote:

> 1. People in the community have too much focused on getting zones 
> signed instead of getting validation deployed. In Sweden we focused in 
> validation, and as validation is happening basically everywhere, it is 
> worth it to get their zones signed.
>
> My conclusion: Continue to talk about _validation_.

Agreed, but a lot of administrators are focused on compliance with 
mandates (such as 
https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/memoranda/2008/m08-23.pdf 
) and it’s easy to audit signing of zones. It’s much harder to audit 
validation, resulting in lower deployment that is unfortunate because 
validation is what would benefit their own users.

-Jim