[dns-operations] NSEC3

Paul Vixie paul at vix.com
Tue Jun 27 00:42:59 UTC 2006

> > so here's my question ... "will you and/or your organization dedicate any
> > resources to DNSSEC-bis as it is?" ... alternatives are all equivilent ...
> I think it is fair to take the following into account when answering  that
> question.
> Anybody at the provisioning side of the DNS (authoritative servers) that do
> not have the same requirements as Nominum and Denic [1] or as Verisign [2],
> there is no need to wait for DNSSECter.

yes, actually, there is a reason to wait.  a compelling reason, that is.

> DNSSECter is designed to be backward compatible with DNSSECbis.  If people
> sign their zones today their zones will be verified by DNSSECter validators.

agreed.  but this doesn't matter, since there will not *be* any validators nor
applications nor signatures on the root zone or most TLD zones, until .COM is
signed.  using NSEC3 and opt-in.

so, yes, one could get a head start by signing one's zone today, with noplace
to send the ZSK except ISC (for DLV) or .SE (if you're in sweden).  but there
will likely be no market for DNSSECbis metadata, ever -- no consumers for it
and no suppliers and probably no datapath through the registrars.  until and
unless the world's most populous tld (.COM) and the root zone are both signed,
neither microsoft nor apple is likely to put a validator into their OS libs
or their web browsers.

so, put yourself in the average domainholder's position.  you can import the
tools and learn the skills for DNSSECbis, even knowing that some folks already
think that DNSSECter is "better" somehow (doesn't matter if they're right, it
only matters that verisign and nominet think this).  and knowing that there's
noplace to send your ZSK if you had one (other than ISC for DLV).  and knowing
that you'll be among a very small minority of signed zones, all of whom having
the same trouble with "where to send their ZSK?" and "are their any apps yet?"
that you're having.

and knowing that by the time DNSSEC is usable -- by .COM and .CO.UK and other
important places, that usability will have been caused by the issuance of a
new (and "better" according to some) standard (DNSSECter).

there's a compelling case to be made for hobbiests and other early adopters to
do this, but for anyone in business to make money, DNSSECbis seems "senseless"
in light of the eventual DNSSECter.

> People that deploy DNSSECbis validators, e.g. in recursive nameservers, will
> at the introduction of DNSSECter see DNSSECter zones as "unsecured" and will
> benefit of security in those zones only after upgrading their software.

again the "network effect" hits us.  because the immediate benefits are small
and the marginal utility of DNSSSECbis over DNSSECter is negative, there are
not likely to *be* very many correctly configured DNSSECbis validators.  ever.
not even DLV can save DNSSECbis from "total mindnumbing lack of motivation."

> In other words; the incremental costs for going from DNSSECbis to
> DNSSECter should be close to NULL at the authoritative server side.

we all know that, but we also know that DNSSECter will be "better" somehow, at
least according to verisign and nominet.  and we're all worried about how the
rest of the community will respond to that news, given how busy everybody is
and how small budgets are and that there are no apps yet that depend on or
work better in the presence of DNSSEC.  beyond DNS itself (anti-poison defense
in the form of secure delegation chains) that is... but that would depend on
*other*folks* installing the tools, learning the skills, and deploying, even
though we know that those "other folks" will not be able to send their keys to
their registrars and/or that their registrars won't be able to send their keys
to their registries and/or the registries won't be able to sign their zones
since the root zone isn't yet signed.

> At the 'client' side the incremental costs are mostly in understanding the
> DNSSECter technology (in order to do troubleshooting) and deploying new
> software.

new tools, new skills.  to most folks it'll be a do-over, since their existing
staff and tools will all have rotted/rolled by the time DNSSECter comes out.

> As for the answer to your question; Yes, NLnet Labs dedicates many resources
> into deploying DNSSEC-bis as is, not even in its own environment but also in
> support of others :-)...

that makes two of us, since ISC is also a heavy early adopter of this stuff.


i think i need to invert the sense of my question, since so far it's just
NLNetLabs and ISC who have answered positively.  "will you deploy DNSSECter?"

so far the only killer app for Secure DNS is "being able to sell to USGov
after 2007".  perhaps that will kick start other apps.

More information about the dns-operations mailing list