Re: DNSSEC architecture vs reality

[Keith Moore <moore@network-heretics.com>]

Viktor,

Thanks for the update.   It looks as if progress is indeed being made.   
Now I wonder: what is being done to publicize DNSSEC to try to get wider 
adoption?

Keith

On 4/12/21 12:53 AM, Viktor Dukhovni wrote:
> On Sun, Apr 11, 2021 at 07:57:15PM -0400, Keith Moore wrote:
>> On 4/11/21 7:05 PM, Viktor Dukhovni wrote:
>>
>>> There are of course pros/cons for CT and pros/cons for DNSSEC, but my
>>> take is that architecturally DNSSEC is better suited for securing the
>>> typical domain on the public Internet.
>> Architectural arguments are great, but pragmatically speaking there seem
>> to be significant deployment problems with DNSSEC.
> Historically, yes.  But substantial improvements have been made, and it
> is now much easier than it used to be.
>
>>> Adoption has been hampered by difficult KSK enrollment, rollover,
>>> immaturity of tooling and by habitual cynicism from plausibly
>>> authoritative voices.
>> These aren't the problems (except perhaps immaturity of tooling) that
>> most immediately come to mind.
>>
>> Where is the easy to understand guide for how to sign your own RRs or
>> zone(s), and to verify that the signing is properly done?
> With BIND 9.16, just pick one of the stock policies, and BIND does the
> rest, generates keys, keeps the signatures current, periodically rolls
> the ZSK, even rolls the KSK and publishes CDS/CDNSKEY RRs, and I believe
> delays retiring the old KSK until the parent domain actually updates
> the DS RRs (whether via CDS, or manual update).  Try it!
>
>> Which registrars provide tools for signing, or do you have to operate
>> your own master DNS server in order to do that?
> If you're talking about registrars that sign zones for you, there are
> many.  Some of the ones hosting large numbers of signed domains are:
>
>      - one.com
>      - ovh.net
>      - googledomains.com
>      - Amazon Route 53
>      - transip.nl
>      - domeneshop.no
>      - forpsi.cz
>
> Many others, those are just some of the larger ones.
>
>> How long does it take for the typical domain name owner to sign their
>> RRs for the first time?
> With BIND 9.16, just add a policy to the zone definition.  A few
> seconds.
>
>> What's the ongoing commitment in time for a domain owner to maintain
>> DNSSEC for their RRs?
> None, BIND keeps the zone signed.  Of course wether you're signing or
> not, service monitoring is highly recommended, to check signature
> validity I use
>
>      named-compilezone -i local -jD -f raw -o - $zone $zonedb |
>          ldns-verify-zone -e P0Y0M3DT3H23M54S -V1 -S /dev/stdin
>
>> What's the immediate benefit to the signer from signing one's own RRs?
>> (Note: if nothing is verifying signatures, the immediate benefit is zero.)
> Since "nothing is verifying" is simply false, the benefit is that
> verification indeed takes place.  The strongest case is hardening
> of CAA records and TLSA records.  Soon also HTTPS and SVCB records,
> which have security-relevant information, worth hardining IMHO.
>
>> And how do we close these (and doubtless other) gaps?
> My zone has been signed since ~2014, no gaps to report, but for more
> complex environments work is being done to address
>
>      - multi-provider signing (Shumon Huque, et. al. doing great work)
>      - CDS support by registries and registrars, .CZ, .ZA, soon
>        Godaddy...
>
> We're not standing still, lots of good activity to close the gaps both
> new and longstanding.
>
>> I'd love for the Internet to be able to make better use of DNSSEC and to
>> need to rely less on PKI.  But for all that I love about this idea, I
>> don't think this is going to happen until most of these problems are fixed.
> That's why lots of work is happening to address the remaining adoption
> barriers.
>