[ Was: Fundamental ANAME problems
Dropped In-Reply-To:, to ensure a new thread. ]
On Fri, Nov 02, 2018 at 06:28:52PM +0100, Måns Nilsson wrote:
> > I'll defer to other people, but it seems to me that anything that depends on
> > recursive DNS servers being updated isn't a realistic solution. We're still
> > waiting for DNSSEC, after all.
>
> Be as pessimistic as you like, but in Sweden, more than 80% of the ISP
> resolvers validate. The DNS can change, at a sometimes glacial speed,
> but it does change.
I rather think that updates DNSSEC-capable software are not the
bottleneck for DNSSEC. The real bottleneck is disincentives to
signing in the form of difficult to use tools, and barriers to KSK
enrollment and rollover at registrars.
To move DNSSEC adoption higher, CDS/CDNSKEY/... need to be supported
by most registries and the signing and key rollover tooling needs
to become less brittle and more user-friendly.
Updates of ZSKs are still too manual. For example, BIND's "auto-dnssec
maintain" should be able to automatically generate new ZSKs on
master server from time to time, completely without user intervention.
If a zone's parent supports CDS, the same should be possible with
KSKs, but now the server would need to poll the parent zone
periodically to determine whether it can proceed with the key
rollover. Regardless of CDS support, generating the new KSK and
incorporating it into the zone apex DNSKEY RRset should also be
something that the nameserver can handle internally. It then
remains only for either CDS, or a manual action by the user to
upload the corresponding DS RRs, to complete the process.
Users *should not* have to run any manual key generation or key
rollover steps, unless they are sophisticated enough to want more
control.
All the magic incantations I have to invoke to keep my zone signed
and rotate keys periodically are I expect a big part of the reason
why many operators shy away from deployment. With the relevant
bits automated, and a zone audit tool to report whether automated
re-signing is happening in a timely manner as expected, operating
a DNSSEC-signed zone can be no harder than operating one that is
not. If more zones are signed, the resolvers will come along, they
often already are capable of doing validation, it just needs to be
turned on.
Yes, the ISP-provided CPE router/DNS resolvers will be the long
tail of the adoption curve... But the ISPs first need to see that
a large fraction of zones are signed, and that those zones are
operating reliably, so that enabling validation is safe and useful.
This gets back to the incentives for the authoritative zones.
--
Viktor.
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
