Re: [Resolverless-dns] Paper on Resolver-less DNS
Viktor Dukhovni <ietf-dane@dukhovni.org> Tue, 27 August 2019 19:23 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: resolverless-dns@ietfa.amsl.com
Delivered-To: resolverless-dns@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 624F9120827 for <resolverless-dns@ietfa.amsl.com>; Tue, 27 Aug 2019 12:23:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F5yZTgRRUgf9 for <resolverless-dns@ietfa.amsl.com>; Tue, 27 Aug 2019 12:23:28 -0700 (PDT)
Received: from straasha.imrryr.org (straasha.imrryr.org [100.2.39.101]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DB663120236 for <resolverless-dns@ietf.org>; Tue, 27 Aug 2019 12:23:28 -0700 (PDT)
Received: from [10.200.2.180] (sdzac10-108-1-nat.nje.twosigma.com [8.2.105.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by straasha.imrryr.org (Postfix) with ESMTPSA id 2EF823F83C for <resolverless-dns@ietf.org>; Tue, 27 Aug 2019 15:23:28 -0400 (EDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
In-Reply-To: <34813218.VKkrhzyXsx@linux-9daj>
Date: Tue, 27 Aug 2019 15:23:27 -0400
Content-Transfer-Encoding: quoted-printable
Reply-To: resolverless-dns@ietf.org
Message-Id: <B955C518-C8B4-40C2-9452-2CF0E40A2917@dukhovni.org>
References: <CAHbrMsBhR1yaLxQk7wZk54Jdf5nvkS03KC3UTae0Famu2+SV8g@mail.gmail.com> <4568720.uvMTqBdgP4@linux-9daj> <fb12f102-714d-95cc-c6cc-0871a2df9f50@informatik.uni-hamburg.de> <34813218.VKkrhzyXsx@linux-9daj>
To: resolverless-dns@ietf.org
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/resolverless-dns/Y8MMb7uPDAg93dkhHmjQ4totQwQ>
Subject: Re: [Resolverless-dns] Paper on Resolver-less DNS
X-BeenThere: resolverless-dns@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Resolverless DNS <resolverless-dns.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/resolverless-dns>, <mailto:resolverless-dns-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/resolverless-dns/>
List-Post: <mailto:resolverless-dns@ietf.org>
List-Help: <mailto:resolverless-dns-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/resolverless-dns>, <mailto:resolverless-dns-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Aug 2019 19:23:32 -0000
> On Aug 22, 2019, at 5:50 PM, Paul Vixie <paul@redbarn.org> wrote: > > > > the economy depends on them doing so. > > > > I find that only 0.9% of the .com domains are signed [2] and having a > > signature does not mean that they can be successfully validated. > > I suggest you broaden your search for knowledge. for example, this web site may be of interest, along with the monthly reports posted to dns-operations@ by the same authors. > > https://stats.dnssec-tools.org/ While the .COM zone has 0.95% DNSSEC adoption (1,349,030 domains out of 141,522,129 in yesterday's zone file), other TLDs, especially in Europe, have a much higher adoption rate. For example, the .CZ, .NL, .NO and .SE TLDs have >50% DNSSEC adoption. Below is a recent (end of May) snapshot of the top 10 TLDs by signed domain count: TLD #Domains #signed #Source ---- -------- ------- ------- .NL 5864458 3184849 https://stats.nic.cz/stats/domains_by_dnssec/ .COM 140169031 1273294 .COM zone file .BR 4056813 1079522 https://registro.br/estatisticas.html .SE 1453459 769879 .SE zone file .CZ 1328201 746689 https://stats.nic.cz/stats/domains_by_dnssec/ .EU 3661899 513324 Eurid reports .PL 2615437 499529 dns.pl website .NO 772052 448640 norid.no website .FR 3388943 402472 afnic.fr website .BE 1287130 288876 DANE survey Overall, in the DNSSEC survey, there are ~10 million signed domains (delegated from "public-suffix" parent domains) out of ~260 million sampled, so the "adoption bump" in Europe brings the overall rate closer to 4%. [ FWIW, with the website updated daily, I've stopped sending monthly summaries to the dns-operations list, but could do it again if there's popular demand. ] > > > if RDNS isn't client software from your point of view, you'll dismiss > > > these assertions. > > > > RDNS requires the client to trust the used recursive resolver. > > not for DANE work flows. stub validation is not widely implemented or well supported by DNSSEC, but it works, and existing DANE TLSA clients do this. The DANE implementation in Postfix and Exim leaves DNSSEC validation to the loopback (local) resolver, rather than duplicate (poorly) the code already present in BIND, unbound, etc. A local resolver is also useful for caching MX RRsets, RBL results, ... so is already best- practice on an MTA. While applications might use libunbound or similar to directly validate DNSSEC records, there still needs to some sort of OS service for keeping the root (and any other) trust-anchors fresh. This could of course be much more light-weight than a local caching resolver... -- Viktor.
- [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
- Re: [Resolverless-dns] Paper on Resolver-less DNS Ben Schwartz
- Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
- Re: [Resolverless-dns] Paper on Resolver-less DNS John Levine
- Re: [Resolverless-dns] Paper on Resolver-less DNS Joe Abley
- Re: [Resolverless-dns] Paper on Resolver-less DNS Ted Hardie
- Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
- Re: [Resolverless-dns] Paper on Resolver-less DNS John R Levine
- Re: [Resolverless-dns] Paper on Resolver-less DNS Paul Vixie
- Re: [Resolverless-dns] Paper on Resolver-less DNS Eric Orth
- Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
- Re: [Resolverless-dns] Paper on Resolver-less DNS Ted Hardie
- Re: [Resolverless-dns] Paper on Resolver-less DNS Fred Baker
- Re: [Resolverless-dns] Paper on Resolver-less DNS Joe Abley
- Re: [Resolverless-dns] Paper on Resolver-less DNS John R Levine
- Re: [Resolverless-dns] Paper on Resolver-less DNS John Levine
- Re: [Resolverless-dns] Paper on Resolver-less DNS Eric Orth
- Re: [Resolverless-dns] Paper on Resolver-less DNS John Levine
- Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
- Re: [Resolverless-dns] Paper on Resolver-less DNS Ted Lemon
- Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
- Re: [Resolverless-dns] Paper on Resolver-less DNS Ted Lemon
- Re: [Resolverless-dns] Paper on Resolver-less DNS Paul Vixie
- Re: [Resolverless-dns] Paper on Resolver-less DNS Steffen Nurpmeso
- Re: [Resolverless-dns] Paper on Resolver-less DNS Ted Hardie
- Re: [Resolverless-dns] Paper on Resolver-less DNS Ted Lemon
- Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
- Re: [Resolverless-dns] Paper on Resolver-less DNS Paul Vixie
- Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
- Re: [Resolverless-dns] Paper on Resolver-less DNS Ted Hardie
- Re: [Resolverless-dns] Paper on Resolver-less DNS Paul Vixie
- Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
- Re: [Resolverless-dns] Paper on Resolver-less DNS Paul Vixie
- Re: [Resolverless-dns] Paper on Resolver-less DNS Anne Bennett
- Re: [Resolverless-dns] Paper on Resolver-less DNS Paul Vixie
- Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
- Re: [Resolverless-dns] Paper on Resolver-less DNS Paul Vixie
- Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
- Re: [Resolverless-dns] Paper on Resolver-less DNS Steffen Nurpmeso
- Re: [Resolverless-dns] Paper on Resolver-less DNS Ralf Weber
- Re: [Resolverless-dns] Paper on Resolver-less DNS John Levine
- Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
- Re: [Resolverless-dns] Paper on Resolver-less DNS Anne Bennett
- Re: [Resolverless-dns] Paper on Resolver-less DNS Ted Hardie
- Re: [Resolverless-dns] Paper on Resolver-less DNS Eric Orth
- Re: [Resolverless-dns] Paper on Resolver-less DNS John Levine
- Re: [Resolverless-dns] Paper on Resolver-less DNS John Levine
- Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
- Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
- Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
- Re: [Resolverless-dns] Paper on Resolver-less DNS Paul Vixie
- Re: [Resolverless-dns] Paper on Resolver-less DNS Paul Vixie
- Re: [Resolverless-dns] Paper on Resolver-less DNS Paul Vixie
- Re: [Resolverless-dns] Paper on Resolver-less DNS Ralf Weber
- Re: [Resolverless-dns] Paper on Resolver-less DNS Vittorio Bertola
- Re: [Resolverless-dns] Paper on Resolver-less DNS Anne Bennett
- Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
- Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
- Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
- Re: [Resolverless-dns] Paper on Resolver-less DNS Paul Vixie
- Re: [Resolverless-dns] Paper on Resolver-less DNS Ralf Weber
- Re: [Resolverless-dns] Paper on Resolver-less DNS Vittorio Bertola
- Re: [Resolverless-dns] Paper on Resolver-less DNS Vittorio Bertola
- Re: [Resolverless-dns] Paper on Resolver-less DNS Ted Lemon
- Re: [Resolverless-dns] Paper on Resolver-less DNS Ted Lemon
- Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
- Re: [Resolverless-dns] Paper on Resolver-less DNS Paul Vixie
- Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
- Re: [Resolverless-dns] Paper on Resolver-less DNS Ted Lemon
- Re: [Resolverless-dns] Paper on Resolver-less DNS Paul Vixie
- Re: [Resolverless-dns] Paper on Resolver-less DNS Paul Vixie
- Re: [Resolverless-dns] Paper on Resolver-less DNS Ted Lemon
- Re: [Resolverless-dns] Paper on Resolver-less DNS Paul Vixie
- Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
- Re: [Resolverless-dns] Paper on Resolver-less DNS Paul Vixie
- Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
- Re: [Resolverless-dns] Paper on Resolver-less DNS Vittorio Bertola
- Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
- Re: [Resolverless-dns] Paper on Resolver-less DNS Vittorio Bertola
- Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
- Re: [Resolverless-dns] Paper on Resolver-less DNS Eric Osterweil
- Re: [Resolverless-dns] Paper on Resolver-less DNS Eric Osterweil
- Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
- Re: [Resolverless-dns] Paper on Resolver-less DNS Eric Osterweil
- Re: [Resolverless-dns] Paper on Resolver-less DNS Viktor Dukhovni
- Re: [Resolverless-dns] Paper on Resolver-less DNS Viktor Dukhovni
- Re: [Resolverless-dns] Paper on Resolver-less DNS Viktor Dukhovni
- Re: [Resolverless-dns] Paper on Resolver-less DNS Viktor Dukhovni
- Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
- Re: [Resolverless-dns] Paper on Resolver-less DNS Viktor Dukhovni
- Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
- Re: [Resolverless-dns] Paper on Resolver-less DNS Ted Lemon
- Re: [Resolverless-dns] Paper on Resolver-less DNS Viktor Dukhovni
- Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
- Re: [Resolverless-dns] Paper on Resolver-less DNS Joe Abley
- Re: [Resolverless-dns] Paper on Resolver-less DNS Paul Vixie
- Re: [Resolverless-dns] Paper on Resolver-less DNS Viktor Dukhovni
- Re: [Resolverless-dns] Paper on Resolver-less DNS Eric Osterweil
- Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
- Re: [Resolverless-dns] Paper on Resolver-less DNS Joe Abley
- Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
- Re: [Resolverless-dns] Paper on Resolver-less DNS Viktor Dukhovni
- Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
- Re: [Resolverless-dns] Paper on Resolver-less DNS Viktor Dukhovni
- Re: [Resolverless-dns] Paper on Resolver-less DNS Bob Harold
- Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
- Re: [Resolverless-dns] Paper on Resolver-less DNS Viktor Dukhovni
- Re: [Resolverless-dns] Paper on Resolver-less DNS Joe Abley
- Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
- Re: [Resolverless-dns] Paper on Resolver-less DNS Viktor Dukhovni
- Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
- Re: [Resolverless-dns] Paper on Resolver-less DNS Viktor Dukhovni
- Re: [Resolverless-dns] Paper on Resolver-less DNS Paul Vixie