IETF Logo Mail Archive

Re: [sunset4] future of dnssec?

Philip Homburg <pch-sunset4@u-1.phicoh.com> Wed, 22 February 2017 16:45 UTC

Return-Path: <pch-bF054DD66@u-1.phicoh.com>
X-Original-To: sunset4@ietfa.amsl.com
Delivered-To: sunset4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5C8B4129484 for <sunset4@ietfa.amsl.com>; Wed, 22 Feb 2017 08:45:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TEYcTsRh4Yvn for <sunset4@ietfa.amsl.com>; Wed, 22 Feb 2017 08:45:57 -0800 (PST)
Received: from stereo.hq.phicoh.net (stereo6-tun.hq.phicoh.net [IPv6:2001:888:1044:10:2a0:c9ff:fe9f:17a9]) by ietfa.amsl.com (Postfix) with ESMTP id 8621112940A for <sunset4@ietf.org>; Wed, 22 Feb 2017 08:45:57 -0800 (PST)
Received: from stereo.hq.phicoh.net ([::ffff:127.0.0.1]) by stereo.hq.phicoh.net with esmtp (Smail #127) id m1cga39-0000DKC; Wed, 22 Feb 2017 17:45:55 +0100
Message-Id: <m1cga39-0000DKC@stereo.hq.phicoh.net>
To: sunset4@ietf.org
From: Philip Homburg <pch-sunset4@u-1.phicoh.com>
Sender: pch-bF054DD66@u-1.phicoh.com
References: <6536E263028723489CCD5B6821D4B21334D566F0@UK30S005EXS06.EEAD.EEINT.CO.UK> <B5E8C545-55B9-4ECB-B0C8-C3EEFEECD320@fugue.com> <20170222143629.9E9C56454B08@rock.dv.isc.org> <CAD6AjGS9gF3AX_EXo8fbii-TYFhHa6CdUkxEQXjvOdQsXSxhrw@mail.gmail.com>
In-reply-to: Your message of "Wed, 22 Feb 2017 16:19:40 +0000 ." <CAD6AjGS9gF3AX_EXo8fbii-TYFhHa6CdUkxEQXjvOdQsXSxhrw@mail.gmail.com>
Date: Wed, 22 Feb 2017 17:45:54 +0100
Archived-At: <https://mailarchive.ietf.org/arch/msg/sunset4/Y4wdqSCNArzXcgOETyV1Z3XDB_A>
Cc: Ca By <cb.list6@gmail.com>
Subject: Re: [sunset4] future of dnssec?
X-BeenThere: sunset4@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: sunset4 working group discussion list <sunset4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sunset4>, <mailto:sunset4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sunset4/>
List-Post: <mailto:sunset4@ietf.org>
List-Help: <mailto:sunset4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sunset4>, <mailto:sunset4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Feb 2017 16:45:59 -0000

>>From a network with 10s of millions of nat64 users and zero dnssec, I
>disagree and suggest dnssec move to historic since it is a ddos attack
>vector and provides no privacy element and generally weak cryto ... also it
>has caused many wide scale outages for networks that have elected to use
>it.

With 2.5 million DNSSEC signed zones in just the nl TLD (45% of all zones in
.nl) and Google's highly popular public resolvers performing DNSSEC validation,
it is also safe to say that millions of people use DNSSEC daily without
nat64.

At least for me personally, I come across expired (or otherwise broken)
certificates a lot more often than domains that fail DNSSEC validation. 

As for weak crypto, I'm not aware of a single serious (published and executed)
attack on deployed DNSSEC.

So it seems that both operationally and from a security point of view,
DNSSEC is stricly better than TLS. 

By and large, the DNSSEC problems (and the IPv4 literal problems) can be
solved by using 464xlat instead of DNS64. 

However, NAT64 is such a 'success' that at least one high profile content
provider had to rush to roll out IPv6 because the deployed NAT64 was
breaking their service.

v2.23.0 | Report a Bug | By Email