Re: [Resolverless-dns] Paper on Resolver-less DNS

Viktor Dukhovni <ietf-dane@dukhovni.org> Tue, 27 August 2019 19:23 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: resolverless-dns@ietfa.amsl.com
Delivered-To: resolverless-dns@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 624F9120827 for <resolverless-dns@ietfa.amsl.com>; Tue, 27 Aug 2019 12:23:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F5yZTgRRUgf9 for <resolverless-dns@ietfa.amsl.com>; Tue, 27 Aug 2019 12:23:28 -0700 (PDT)
Received: from straasha.imrryr.org (straasha.imrryr.org [100.2.39.101]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DB663120236 for <resolverless-dns@ietf.org>; Tue, 27 Aug 2019 12:23:28 -0700 (PDT)
Received: from [10.200.2.180] (sdzac10-108-1-nat.nje.twosigma.com [8.2.105.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by straasha.imrryr.org (Postfix) with ESMTPSA id 2EF823F83C for <resolverless-dns@ietf.org>; Tue, 27 Aug 2019 15:23:28 -0400 (EDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
In-Reply-To: <34813218.VKkrhzyXsx@linux-9daj>
Date: Tue, 27 Aug 2019 15:23:27 -0400
Content-Transfer-Encoding: quoted-printable
Reply-To: resolverless-dns@ietf.org
Message-Id: <B955C518-C8B4-40C2-9452-2CF0E40A2917@dukhovni.org>
References: <CAHbrMsBhR1yaLxQk7wZk54Jdf5nvkS03KC3UTae0Famu2+SV8g@mail.gmail.com> <4568720.uvMTqBdgP4@linux-9daj> <fb12f102-714d-95cc-c6cc-0871a2df9f50@informatik.uni-hamburg.de> <34813218.VKkrhzyXsx@linux-9daj>
To: resolverless-dns@ietf.org
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/resolverless-dns/Y8MMb7uPDAg93dkhHmjQ4totQwQ>
Subject: Re: [Resolverless-dns] Paper on Resolver-less DNS
X-BeenThere: resolverless-dns@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Resolverless DNS <resolverless-dns.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/resolverless-dns>, <mailto:resolverless-dns-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/resolverless-dns/>
List-Post: <mailto:resolverless-dns@ietf.org>
List-Help: <mailto:resolverless-dns-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/resolverless-dns>, <mailto:resolverless-dns-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Aug 2019 19:23:32 -0000

> On Aug 22, 2019, at 5:50 PM, Paul Vixie <paul@redbarn.org> wrote:
> 
> > >  the economy depends on them doing so.
> > 
> > I find that only 0.9% of the .com domains are signed [2] and having a
> > signature does not mean that they can be successfully validated.
>  
> I suggest you broaden your search for knowledge. for example, this web site may be of interest, along with the monthly reports posted to dns-operations@ by the same authors.
>  
> https://stats.dnssec-tools.org/ 

While the .COM zone has 0.95% DNSSEC adoption (1,349,030 domains out
of 141,522,129 in yesterday's zone file), other TLDs, especially in
Europe, have a much higher adoption rate.  For example, the .CZ, .NL,
.NO and .SE TLDs have >50% DNSSEC adoption.  Below is a recent (end of
May) snapshot of the top 10 TLDs by signed domain count:

TLD	#Domains	#signed		#Source
----    --------	-------		-------
.NL	  5864458	3184849		https://stats.nic.cz/stats/domains_by_dnssec/
.COM	140169031	1273294		.COM zone file
.BR	  4056813	1079522		https://registro.br/estatisticas.html
.SE	  1453459	 769879		.SE zone file
.CZ	  1328201	 746689		https://stats.nic.cz/stats/domains_by_dnssec/
.EU	  3661899 	 513324 	Eurid reports
.PL	  2615437 	 499529 	dns.pl website
.NO	   772052 	 448640 	norid.no website
.FR	  3388943 	 402472 	afnic.fr website
.BE	  1287130 	 288876		DANE survey

Overall, in the DNSSEC survey, there are ~10 million signed domains
(delegated from "public-suffix" parent domains) out of ~260 million
sampled, so the "adoption bump" in Europe brings the overall rate
closer to 4%.

[ FWIW, with the website updated daily, I've stopped sending monthly
  summaries to the dns-operations list, but could do it again if
  there's popular demand. ]

> > > if RDNS isn't client software from your point of view, you'll dismiss
> > > these assertions.
> > 
> > RDNS requires the client to trust the used recursive resolver.
>  
> not for DANE work flows. stub validation is not widely implemented or well supported by DNSSEC, but it works, and existing DANE TLSA clients do this.

The DANE implementation in Postfix and Exim leaves DNSSEC validation
to the loopback (local) resolver, rather than duplicate (poorly) the
code already present in BIND, unbound, etc.  A local resolver is also
useful for caching MX RRsets, RBL results, ... so is already best-
practice on an MTA.

While applications might use libunbound or similar to directly validate
DNSSEC records, there still needs to some sort of OS service for keeping
the root (and any other) trust-anchors fresh.  This could of course be
much more light-weight than a local caching resolver...

-- 
	Viktor.