Re: [anti-abuse-wg] IS3C public consultation on an alternative narrative to deploy Internet standards

2024-03-11 Thread John Levine 
It appears that Michele Neylon - Blacknight via anti-abuse-wg 
 said:
>-=-=-=-=-=-
>-=-=-=-=-=-
>
>Serge
>
>Several ccTLD registries have given discounts for DNSSEC.
>
>What is unclear is how many of the domains with DNSSEC enabled are in active 
>use, so the lack of �problems� could be simply down to a complete lack of us / 
>ignorance that the technology was enabled.
>
>My main issue with focus on DNSSEC is that it is seen being a �good use� of 
>resources, so small registries who should invest in other things that are 
>fundamentally more important feel obliged to enable
>it. There�s also the entire �I�ve got DNSSEC so now my domain / site / service 
>is secure� belief. Much like people who think that smacking an SSL cert on 
>their site magically renders it secure.

It makes sense if you're likely to be a phish target or you're
sophisticated enough to use DANE. DNSSEC works pretty well for Comcast.

I agree that for random little private domains the benefit is marginal.

R's,
John

-- 

To unsubscribe from this mailing list, get a password reminder, or change your 
subscription options, please visit: 
https://lists.ripe.net/mailman/listinfo/anti-abuse-wg

Re: [anti-abuse-wg] IS3C public consultation on an alternative narrative to deploy Internet standards

2024-03-11 Thread David Conrad via anti-abuse-wg 
Hi,

I've focused my comments specifically on the section entitled "The Alternative 
Narrative, a Call To Action for Leaders”.

While I understand the desire to encourage DNSSEC and RPKI deployment at the 
leadership level, however if you’’re targeting policy makers and C-levels, I 
would strongly encourage a balanced, honest approach, one that highlights both 
the benefits as well as risks. From experience, I believe focusing only on 
(alleged) benefits and stretching applicability (almost beyond recognition) can 
be quite counter-productive when the inevitable failures (e.g., 
https://ianix.com/pub/dnssec-outages.html, 
https://packetvis.com/blog/rpki-trust-anchor-malfunctions/) occur. 

FWIW.

Regards,
-drc
Partner/CTO, Layer 9 Technologies (layer9.tech )

> On Mar 11, 2024, at 2:58 AM, Wout de Natris  
> wrote:
> 
> Dear colleagues,
> 
> IGF DC IS3C invites you to participate in the consultation on positively 
> enhancing the deployment of two Internet standards: DNSSEC and RPKI. You are 
> invited to answer either of these questions: Do the arguments used to favor a 
> positive decision, convince you to order deployment within your organisation 
> or from your service provider? / Do they assist you to convince decision 
> takers in your organisation to invest in security by design? You are invited 
> to share your views and arguments with IS3C’s expert team and have been 
> granted commenting rights in this document to do so. The consultation runs 
> from 11 March to 12PM UTC, Friday 5 April 2024. Your contribution will be 
> taken into consideration when finalising the text before publication this 
> spring. Here is the link to the Google Doc:
> 
> https://docs.google.com/document/d/1YYq3ie9D03L1Z5ssgPbWKV5becUgNw0h7_fmm9xGWKs/edit?usp=sharing
>  
> 
>
> IS3C WG 8 work document 
> 
> docs.google.com 
> We hope to receive your views so we can present the most convincing arguments 
> to deploy DNSSEC, RPKI and all other security-related Internet standards and 
> ICT best practices. (FYI, this project is sponsored by ICANN and RIPE NCC.)
> 
> Kind regards,
> 
> Wout de Natris
> 
> IS3C: Making the Internet more secure and safer



signature.asc
Description: OpenPGP digital signature
-- 

To unsubscribe from this mailing list, get a password reminder, or change your 
subscription options, please visit: 
https://lists.ripe.net/mailman/listinfo/anti-abuse-wg

Re: [anti-abuse-wg] IS3C public consultation on an alternative narrative to deploy Internet standards

2024-03-11 Thread Michele Neylon - Blacknight via anti-abuse-wg 
Serge

Several ccTLD registries have given discounts for DNSSEC.

What is unclear is how many of the domains with DNSSEC enabled are in active 
use, so the lack of “problems” could be simply down to a complete lack of us / 
ignorance that the technology was enabled.

My main issue with focus on DNSSEC is that it is seen being a “good use” of 
resources, so small registries who should invest in other things that are 
fundamentally more important feel obliged to enable it. There’s also the entire 
“I’ve got DNSSEC so now my domain / site / service is secure” belief. Much like 
people who think that smacking an SSL cert on their site magically renders it 
secure.

Regards

Michele


--
Mr Michele Neylon
Blacknight Solutions
Hosting, Colocation & Domains
https://www.blacknight.com/
https://blacknight.blog/
Intl. +353 (0) 59  9183072
Direct Dial: +353 (0)59 9183090
Personal blog: https://michele.blog/
Some thoughts: https://ceo.hosting/
---
Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty 
Road,Graiguecullen,Carlow,R93 X265,Ireland  Company No.: 370845

I have sent this email at a time that is convenient for me. I do not expect you 
to respond to it outside of your usual working hours.


From: anti-abuse-wg  on behalf of Serge Droz 
via anti-abuse-wg 
Date: Monday, 11 March 2024 at 12:24
To: anti-abuse-wg@ripe.net 
Subject: Re: [anti-abuse-wg] IS3C public consultation on an alternative 
narrative to deploy Internet standards
[EXTERNAL EMAIL] Please use caution when opening attachments from unrecognised 
sources.

> Pushing for DNSSEC adoption by financial services, government and other
> “enterprise” users makes a lot of sense, but pushing it for all domains
> is a terrible idea and has more negative impacts than positives.


Not if it's done properly, i.e. by the hosting providers. Should your
aunt or uncle do it? Probably not.

Since SWITCH gives registrars a discount if they sign, the number has
risen dramatically, without any problems:
https://www.nic.ch/de/statistics/dnssec/

Best
Serge

--
Dr. Serge Droz
Member, FIRST Board of Directors
https://www.first.org

--

To unsubscribe from this mailing list, get a password reminder, or change your 
subscription options, please visit: 
https://lists.ripe.net/mailman/listinfo/anti-abuse-wg
-- 

To unsubscribe from this mailing list, get a password reminder, or change your 
subscription options, please visit: 
https://lists.ripe.net/mailman/listinfo/anti-abuse-wg

Re: [anti-abuse-wg] Call For Agenda Items - RIPE88

2024-03-11 Thread Brian Nisbet 
And to be clear, you can​ present from Rome, but the meeting will definitely be 
in Kraków...

(Thank you to all of you who pointed out I'd changed one reference, but not the 
other!)

Brian

Brian Nisbet (he/him)
Service Operations Manager
HEAnet CLG, Ireland's National Education and Research Network
North Dock Two, 93-94 North Wall Quay, Dublin 1, D01 V8Y6
+35316609040 brian.nis...@heanet.ie www.heanet.ie
Registered in Ireland, No. 275301. CRA No. 20036270

From: Brian Nisbet
Sent: Monday 11 March 2024 10:49
To: anti-abuse-wg@ripe.net 
Subject: Call For Agenda Items - RIPE88

Colleagues,

As we move further into spring in Europe, it is time to think about the agenda 
for our next WG meeting, at RIPE 88 in Kraków - https://ripe88.ripe.net/

Registration for the meeting, running from the 20th - 24th May, is open.

The Anti-Abuse WG will be meeting and Markus, Tobias and I would invite people 
to submit topics for discussion, policy proposals, presentations for general 
enlightenment and, of course, work items for the working group.

Speakers & presenters can either be present in Rome or reaching us live via the 
Internet!

The Anti-Abuse WG session will be taking place on the 21st of May at 16:00 CEST.

As always you can reach us at aa-wg-ch...@ripe.net

Thanks,

Brian
Co-Chair, RIPE AA-WG

Brian Nisbet (he/him)
Service Operations Manager
HEAnet CLG, Ireland's National Education and Research Network
North Dock Two, 93-94 North Wall Quay, Dublin 1, D01 V8Y6
+35316609040 brian.nis...@heanet.ie www.heanet.ie
Registered in Ireland, No. 275301. CRA No. 20036270
-- 

To unsubscribe from this mailing list, get a password reminder, or change your 
subscription options, please visit: 
https://lists.ripe.net/mailman/listinfo/anti-abuse-wg

Re: [anti-abuse-wg] IS3C public consultation on an alternative narrative to deploy Internet standards

2024-03-11 Thread Serge Droz via anti-abuse-wg 




Pushing for DNSSEC adoption by financial services, government and other 
“enterprise” users makes a lot of sense, but pushing it for all domains 
is a terrible idea and has more negative impacts than positives.



Not if it's done properly, i.e. by the hosting providers. Should your 
aunt or uncle do it? Probably not.


Since SWITCH gives registrars a discount if they sign, the number has 
risen dramatically, without any problems: 
https://www.nic.ch/de/statistics/dnssec/


Best
Serge

--
Dr. Serge Droz
Member, FIRST Board of Directors
https://www.first.org

--

To unsubscribe from this mailing list, get a password reminder, or change your 
subscription options, please visit: 
https://lists.ripe.net/mailman/listinfo/anti-abuse-wg

Re: [anti-abuse-wg] IS3C public consultation on an alternative narrative to deploy Internet standards

2024-03-11 Thread Michele Neylon - Blacknight via anti-abuse-wg 
They’re two very different things so asking about the two and pushing for them 
at the same time in my view is a bad idea.

RPKI is only going to be deployed by network operators and they *should* have 
the technical ability to do this and doing so is “good”

DNSSEC, on the other hand, is available for the many millions of domain names 
out there and is an incredibly brittle technology. A minor mistake with the 
deployment will literally kill the domain and all its services.

Pushing for DNSSEC adoption by financial services, government and other 
“enterprise” users makes a lot of sense, but pushing it for all domains is a 
terrible idea and has more negative impacts than positives.

Regards

Michele, who has consistently disliked how much time energy and money is pushed 
into DNSSEC while so many other things aren’t resourced


--
Mr Michele Neylon
Blacknight Solutions
Hosting, Colocation & Domains
https://www.blacknight.com/
https://blacknight.blog/
Intl. +353 (0) 59  9183072
Direct Dial: +353 (0)59 9183090
Personal blog: https://michele.blog/
Some thoughts: https://ceo.hosting/
---
Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty 
Road,Graiguecullen,Carlow,R93 X265,Ireland  Company No.: 370845

I have sent this email at a time that is convenient for me. I do not expect you 
to respond to it outside of your usual working hours.


From: anti-abuse-wg  on behalf of Wout de 
Natris 
Date: Monday, 11 March 2024 at 10:01
To: anti-abuse-wg@ripe.net 
Subject: [anti-abuse-wg] IS3C public consultation on an alternative narrative 
to deploy Internet standards

[EXTERNAL EMAIL] Please use caution when opening attachments from unrecognised 
sources.
Dear colleagues,


IGF DC IS3C invites you to participate in the consultation on positively 
enhancing the deployment of two Internet standards: DNSSEC and RPKI. You are 
invited to answer either of these questions: Do the arguments used to favor a 
positive decision, convince you to order deployment within your organisation or 
from your service provider? / Do they assist you to convince decision takers in 
your organisation to invest in security by design? You are invited to share 
your views and arguments with IS3C’s expert team and have been granted 
commenting rights in this document to do so. The consultation runs from 11 
March to 12PM UTC, Friday 5 April 2024. Your contribution will be taken into 
consideration when finalising the text before publication this spring. Here is 
the link to the Google Doc:


https://docs.google.com/document/d/1YYq3ie9D03L1Z5ssgPbWKV5becUgNw0h7_fmm9xGWKs/edit?usp=sharing
[https://lh7-us.googleusercontent.com/docs/AHkbwyKX2Kk3Ln5vVsuCkXG99FKVph_OJAKVycHnHbNDtU3ypxvkIuZHkBdUoYgSyF8Q-44HL6Bfq8eDGZeMKI2Jyf-_6xgR24RTvX5QEmO69ZSTpnE=w1200-h630-p]
IS3C WG 8 work 
document
docs.google.com
We hope to receive your views so we can present the most convincing arguments 
to deploy DNSSEC, RPKI and all other security-related Internet standards and 
ICT best practices. (FYI, this project is sponsored by ICANN and RIPE NCC.)

Kind regards,

Wout de Natris

IS3C: Making the Internet more secure and safer

-- 

To unsubscribe from this mailing list, get a password reminder, or change your 
subscription options, please visit: 
https://lists.ripe.net/mailman/listinfo/anti-abuse-wg

[anti-abuse-wg] Call For Agenda Items - RIPE88

2024-03-11 Thread Brian Nisbet 
Colleagues,

As we move further into spring in Europe, it is time to think about the agenda 
for our next WG meeting, at RIPE 88 in Kraków - https://ripe88.ripe.net/

Registration for the meeting, running from the 20th - 24th May, is open.

The Anti-Abuse WG will be meeting and Markus, Tobias and I would invite people 
to submit topics for discussion, policy proposals, presentations for general 
enlightenment and, of course, work items for the working group.

Speakers & presenters can either be present in Rome or reaching us live via the 
Internet!

The Anti-Abuse WG session will be taking place on the 21st of May at 16:00 CEST.

As always you can reach us at aa-wg-ch...@ripe.net

Thanks,

Brian
Co-Chair, RIPE AA-WG

Brian Nisbet (he/him)
Service Operations Manager
HEAnet CLG, Ireland's National Education and Research Network
North Dock Two, 93-94 North Wall Quay, Dublin 1, D01 V8Y6
+35316609040 brian.nis...@heanet.ie www.heanet.ie
Registered in Ireland, No. 275301. CRA No. 20036270
-- 

To unsubscribe from this mailing list, get a password reminder, or change your 
subscription options, please visit: 
https://lists.ripe.net/mailman/listinfo/anti-abuse-wg

[anti-abuse-wg] IS3C public consultation on an alternative narrative to deploy Internet standards

2024-03-11 Thread Wout de Natris 
Dear colleagues,


IGF DC IS3C invites you to participate in the consultation on positively 
enhancing the deployment of two Internet standards: DNSSEC and RPKI. You are 
invited to answer either of these questions: Do the arguments used to favor a 
positive decision, convince you to order deployment within your organisation or 
from your service provider? / Do they assist you to convince decision takers in 
your organisation to invest in security by design? You are invited to share 
your views and arguments with IS3C’s expert team and have been granted 
commenting rights in this document to do so. The consultation runs from 11 
March to 12PM UTC, Friday 5 April 2024. Your contribution will be taken into 
consideration when finalising the text before publication this spring. Here is 
the link to the Google Doc:


https://docs.google.com/document/d/1YYq3ie9D03L1Z5ssgPbWKV5becUgNw0h7_fmm9xGWKs/edit?usp=sharing

[https://lh7-us.googleusercontent.com/docs/AHkbwyKX2Kk3Ln5vVsuCkXG99FKVph_OJAKVycHnHbNDtU3ypxvkIuZHkBdUoYgSyF8Q-44HL6Bfq8eDGZeMKI2Jyf-_6xgR24RTvX5QEmO69ZSTpnE=w1200-h630-p]
IS3C WG 8 work 
document
docs.google.com
We hope to receive your views so we can present the most convincing arguments 
to deploy DNSSEC, RPKI and all other security-related Internet standards and 
ICT best practices. (FYI, this project is sponsored by ICANN and RIPE NCC.)

Kind regards,

Wout de Natris

IS3C: Making the Internet more secure and safer


-- 

To unsubscribe from this mailing list, get a password reminder, or change your 
subscription options, please visit: 
https://lists.ripe.net/mailman/listinfo/anti-abuse-wg