[dns-operations] thoughts on DNSSEC

Vernon Schryver vjs at rhyolite.com
Wed Jul 18 16:30:12 UTC 2012

> From: Wes Hardaker <wjhns1 at hardakers.net>

> Are you aware of any registrars that are requiring "send mail" to get
> DNSSEC data changed?  All the ones I'm aware of are operating the same
> way they do for other data, such as glue/NS: web forms for putting in
> the data.  

That might depend on personal experience or perspective.  My personal
impression is that "send mail" and no DNSSEC support at all are
more common.

 - OpenSRS/Tucows and their resellers use the "send mail" answer.

 - I've the impression from this thread that Network Solutions
    offers "send mail."

  - https://www.icann.org/en/news/in-focus/dnssec/deployment does
    not mention eNom and I don't find anything about DNSSEC on
    http://www.enom.com/ including http://www.enom.com/domainsearch/faq.aspx?
If you believe
those three data imply that no or "send mail" DNSSEC support is common.

The web forms that exist are not necessarily robust.  I finally got
around to signing my old class-C these years after .arpa was signed,
and found that ARIN's DS parsing web form chokes on the de facto
standard blank near the end of the SHA256 digest in DS RRs.


} From: Daniel Kalchev <daniel at digsys.bg>

} Obviously, e-mail authentication is not appropriate, as is any in-band 
} authentication as well.

It's not clear to me that e-mail authentication using something like
"Using Secure DNS to Associate Certificates with Domain Names For S/MIME"
is less secure than commercial PKI certificates.
Of course, if you've lost your key files, it might not work very well.
But in the future when (and if) your HTTP authentication also relies
on DNS (e.g. DANE), ...

} For example, while implementing DNSSEC back in 2007, we have made it 
} mandatory in the BG registry to use qualified electronic signatures in 
} order to manipulate DNSSEC.

What do you define as a qualified electronic signature?  What do you
do for key distribution?  HTTPS with commercial PKI is far better than
unauthenticated, trivially forged mail, but it's not exactly secure.

}                             About the only operation you can do without 
} it is "turn DNSSEC off" and for this to work you need other than e-mail 
} authentication.

Why should turning DNSSEC off be easier than adding or removing
DS RRs?  I understand that turning DNSSEC off is very useful in
emergencies, but it also sounds very useful to your adversaries.

What is your other than e-mail authentication?  Perhaps a telephone
call to an old WHOIS contact and a verbal exchange of passphrases?

In theory, mail management of DNSSEC could be better than standard DNS
web management pages.  You could exchange authenticators and authenticated
mail to a robot could be as fast as a web page.  The trouble is that
in practice, "send mail" means "send mail to a reseller who will forward
it to the registrar within a day or two, where someone whose native
language isn't yours might eventually react as you intend."

} As for the lack of mass DNSSEC participation ...

Did you look at http://scoreboard.verisignlabs.com/count-trace.png
and http://scoreboard.verisignlabs.com/percent-trace.png ?
My intended point was the opposite.  If (big if) things continue as
they have been, DNSSEC deployment will be about as wise as "privacy
guard" in a couple years.  That would be a change as quick as anything
since the end of the NFSNet AUP.

Vernon Schryver    vjs at rhyolite.com

More information about the dns-operations mailing list