[ Was: Fundamental ANAME problems Dropped In-Reply-To:, to ensure a new thread. ]
On Fri, Nov 02, 2018 at 06:28:52PM +0100, Måns Nilsson wrote: > > I'll defer to other people, but it seems to me that anything that depends on > > recursive DNS servers being updated isn't a realistic solution. We're still > > waiting for DNSSEC, after all. > > Be as pessimistic as you like, but in Sweden, more than 80% of the ISP > resolvers validate. The DNS can change, at a sometimes glacial speed, > but it does change. I rather think that updates DNSSEC-capable software are not the bottleneck for DNSSEC. The real bottleneck is disincentives to signing in the form of difficult to use tools, and barriers to KSK enrollment and rollover at registrars. To move DNSSEC adoption higher, CDS/CDNSKEY/... need to be supported by most registries and the signing and key rollover tooling needs to become less brittle and more user-friendly. Updates of ZSKs are still too manual. For example, BIND's "auto-dnssec maintain" should be able to automatically generate new ZSKs on master server from time to time, completely without user intervention. If a zone's parent supports CDS, the same should be possible with KSKs, but now the server would need to poll the parent zone periodically to determine whether it can proceed with the key rollover. Regardless of CDS support, generating the new KSK and incorporating it into the zone apex DNSKEY RRset should also be something that the nameserver can handle internally. It then remains only for either CDS, or a manual action by the user to upload the corresponding DS RRs, to complete the process. Users *should not* have to run any manual key generation or key rollover steps, unless they are sophisticated enough to want more control. All the magic incantations I have to invoke to keep my zone signed and rotate keys periodically are I expect a big part of the reason why many operators shy away from deployment. With the relevant bits automated, and a zone audit tool to report whether automated re-signing is happening in a timely manner as expected, operating a DNSSEC-signed zone can be no harder than operating one that is not. If more zones are signed, the resolvers will come along, they often already are capable of doing validation, it just needs to be turned on. Yes, the ISP-provided CPE router/DNS resolvers will be the long tail of the adoption curve... But the ISPs first need to see that a large fraction of zones are signed, and that those zones are operating reliably, so that enabling validation is safe and useful. This gets back to the incentives for the authoritative zones. -- Viktor. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop