Re: DNSSEC architecture vs reality

Eliot Lear <lear@cisco.com> Tue, 13 April 2021 09:56 UTC

Return-Path: <lear@cisco.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6FC753A0FAF for <ietf@ietfa.amsl.com>; Tue, 13 Apr 2021 02:56:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -11.899
X-Spam-Level:
X-Spam-Status: No, score=-11.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_NONE=0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LyXsVP9Fz8DL for <ietf@ietfa.amsl.com>; Tue, 13 Apr 2021 02:56:51 -0700 (PDT)
Received: from aer-iport-3.cisco.com (aer-iport-3.cisco.com [173.38.203.53]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7E6333A0F4A for <ietf@ietf.org>; Tue, 13 Apr 2021 02:56:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=1931; q=dns/txt; s=iport; t=1618307811; x=1619517411; h=from:message-id:mime-version:subject:date:in-reply-to:cc: to:references; bh=goHstMam5GiwGHBIXiQPlrleP58TrcJEFcu5SuR7JsA=; b=EGHXC2XjQg9IZ8zTxRm1znJjQ+jzW/i7z2iTJS69QipnAVIoPzXGm1At Oej1ICh7mxBlv13ocmn6bo3+uKlQu30/L+L9jtrCwXhZB0yCcrVfwGmj4 OTpp4OhLIFGAZllhc+PFaQAAkR0lHGNyxDnIa5zCqkSZOFvBfWYSIS5ez M=;
X-Files: signature.asc : 488
X-IPAS-Result: =?us-ascii?q?A0BAAwCEanVg/xbLJq1aHAEBAQEBAQcBARIBAQQEAQGCE?= =?us-ascii?q?oF2gSxWAScSMYRDiQSIPSicZgQHAQEBCgMBATQEAQGEUAKBciY4EwIDAQEBA?= =?us-ascii?q?wIDAQEBAQEFAQEBAgEGBHEThV2GRAEBAQECASNWBQsLEgYqAgJJDgYTFIJdA?= =?us-ascii?q?YJmIapieYEygQGEWIR4EIE5gVOJVYIqQ4ILgRMnDBCCXz6CYASEdTWCKwSEA?= =?us-ascii?q?SJvM5I2jEmdBoMVgz+BRpd+BB+UL5BJtESEAQIEBgUCFoFrI4FZMxoIGxVlA?= =?us-ascii?q?YI+PhIZDo4rFo4pPwMvAjYCBgEJAQEDCYpLLYIWAQE?=
IronPort-HdrOrdr: A9a23:TJZcPq+CEI6JxIiaa1tuk+BaI+orLtY04lQ7vn1ZYxY9SL36q+ mFmvMH2RjozAsAQX1Io7y9EYSJXH+0z/9IyKYLO7PKZmPbkUuuaLpv9I7zhwDnchefysd42b 17e6ZzTP38ZGIWse/f4A21V+kt28OG9qfAv4jj5kxgRw1rdK1shj0RYm2mO3Z7SwVcCZ0yGI D03LsjmxObZX8VYs6nb0NqY8H/obTw5fDbSC9DIxYm7QWU5AnYjILSIly/wgoUVS9JzPME92 XI+jaJgJmLgrWc1gLW0XPV4tBtvObZjvFHBMCKl6EuW1LRtjo=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.82,219,1613433600"; d="asc'?scan'208";a="32569070"
Received: from aer-iport-nat.cisco.com (HELO aer-core-2.cisco.com) ([173.38.203.22]) by aer-iport-3.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 13 Apr 2021 09:56:47 +0000
Received: from [10.61.144.116] ([10.61.144.116]) by aer-core-2.cisco.com (8.15.2/8.15.2) with ESMTPS id 13D9uksK013497 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 13 Apr 2021 09:56:46 GMT
From: Eliot Lear <lear@cisco.com>
Message-Id: <5DFC979A-7641-49B2-A2F4-81F737790C6D@cisco.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_F834DBCF-8E1F-41C4-8BAB-F4483232BBE1"; protocol="application/pgp-signature"; micalg=pgp-sha256
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.60.0.2.21\))
Subject: Re: DNSSEC architecture vs reality
Date: Tue, 13 Apr 2021 11:56:44 +0200
In-Reply-To: <8C8A4B56-6B8C-4D53-965C-07CE636E3FB9@frobbit.se>
Cc: The IETF List <ietf@ietf.org>
To: =?utf-8?B?UGF0cmlrIEbDpGx0c3Ryw7Zt?= <paf=40frobbit.se@dmarc.ietf.org>
References: <YHN5ObR0eqea8Mrc@straasha.imrryr.org> <CABrd9SRdw9baHD5-j9nz4Zv5JjfL35TgaTvS787orEyGxZdKzA@mail.gmail.com> <YHOAzeOj1JaGdmsO@straasha.imrryr.org> <5e91c054-5935-df07-e8ba-09cc78f6c950@network-heretics.com> <YHPSP8Kij2K4v7qQ@straasha.imrryr.org> <82c5fcc6-b419-6efb-b682-b5dbb32905e2@network-heretics.com> <585D8590-472B-4CBC-8292-5BE85521DD76@gmail.com> <a6545baf-b15e-3690-d7b5-be33c4078e02@mtcc.com> <20210412221435.GV9612@localhost> <0755b70e-cc8e-3404-73cd-51950b3d7e53@mtcc.com> <20210412222748.GW9612@localhost> <26BBCA02-AC18-476B-926E-9AC37A7FBBE2@depht.com> <8C8A4B56-6B8C-4D53-965C-07CE636E3FB9@frobbit.se>
X-Mailer: Apple Mail (2.3654.60.0.2.21)
X-Outbound-SMTP-Client: 10.61.144.116, [10.61.144.116]
X-Outbound-Node: aer-core-2.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/wpjS4NFkhOSUu9KjBPybRf4Vs5g>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Apr 2021 09:56:56 -0000

Hi Patrik,

> On 13 Apr 2021, at 10:58, Patrik Fältström <paf=40frobbit.se@dmarc.ietf.org> wrote:
> 
> On 13 Apr 2021, at 10:46, Andrew McConachie wrote:
> 
>> My point is that if people want to see HTTPS/DANE deployments grow they should start hacking HTTPS/DANE validation into the numerous open source projects that act as HTTPS clients.
> 
> I see two issues with HTTPS/DANE (and DNSSEC):
> 
> 1. People in the community have too much focused on getting zones signed instead of getting validation deployed. In Sweden we focused in validation, and as validation is happening basically everywhere, it is worth it to get their zones signed.

Yes.  The opendnssec team did a phenomenal job, only to be thwarted by secondary servers and amplification attack concerns.  My conclusion: why choose?  Both validation AND signing is a problem, especially if we do not want to encourage market concentration.

Eliot