In message <20170816064855.GB16977@jurassic>, Mukund Sivaraman writes:
> On Wed, Aug 16, 2017 at 08:21:37AM +0200, Mikael Abrahamsson wrote:
> > On Wed, 16 Aug 2017, Mukund Sivaraman wrote:
> >
> > > 24 / 500 top domains (4.8%)
> > > 20548 / 1 million top domains (2.05%)
> > >
> > > (12 years after introduction of 403{3,4,5})
> >
> > https://stats.labs.apnic.net/dnssec/XE?o=cXAw1x1g1r1
> >
> > 20% of European users is behind a validating resolver, in some countries
> > it's 70% plus.
> >
> > So this is now happening, albeit at a not high enough pace. But at least
> > it's going in the right direction, and I do believe that there is enough
> > people behind validating resolvers that people can't mess up signing
> their
> > zone and push away blame on who needs to fix things.
> >
> > So at least there is benefit in signing your zone now, there wasn't as
> much
> > before when nobody was validating.
>
> The validating resolver is half of the system.
>
> DNSSEC is brittle. It has an all-or-nothing behavior (that's what it was
> designed for) that many businesses cannot afford to bank on if something
> were to go wrong. An administrative error or signer software bug on the
> authoritative side can take the whole zone down and every service with
> it (as DNS is at the head of network activity). Software is still not
> perfect, so I don't know how this can change - I see practical signer
> bugs still that take down the zone entirely. It's also still painfully
> inconvenient to update parent zones, that makes fixing mishaps
> difficult. The amount of damage that a break in DNSSEC validation chain
> could do is far greater than other implementations of crypto such as TLS
> where it is limited to a service.
>
> (Note that I'm not advocating against DNSSEC, as much as this email may
> sound so. The things I mention are practical issues that I see as an
> implementor.)
>
> A colleague says "If TLDs allowed UPDATE messages to be processed most
> of the issues with DNSSEC would go away. At the moment we have a whole
> series of kludges because people are scared of signed update messages."And there is even a IANA assign SRV prefix to allow UPDATE messages to be directed to directed to a server other than those that are answering the queries. Apple was good enough to get it registered several years ago. SIG(0) and TSIG UPDATE messages are forwardable so all the TLD operator needs to do is to redirect the messages to the appropriate registrar, based on the records being updated, for processing then return the reply. Named forwards both types of messages and returns the replies so this is all technically possible. > Mukund > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
