[dns-operations] thoughts on DNSSEC

James M Galvin galvin at elistx.com
Thu Jul 19 16:03:22 UTC 2012

I have evolved to what I consider a more practical view of this issue 
over the years.  I'm certainly open to reconsideration but here's what 
I think today in one sentence: as a practical matter this is not a 
significant problem.

I absolutely believe we have a major gaping hole technically, so don't 
get me wrong.  We should absolutely be seeking better ways to get child 
key information in to the parent zone.  But that's a separate 

Here's my rationale for what I believe.

Consider the domain name market in an 80-20 split.  I assert that for 
80% of the market none of this will matter.  The 80% portion of the 
market gets bundled services - domain name, email, web hosting, dns, 
etc.  In that market their DNSSEC services will simply be provided and 
they will not know, care, or understand any of the problem you 
describe.  They will not know the difference between a web site failure 
or some kind of DNS failure and they won't care.  "Down" for 2 days: oh 
well.  They are going to get the same level of service for the DNS 
failures as they do for their web site failures and they deal with this 
just fine today.  DNSSEC does not change this business model or service.

We can have a discussion of whether or not DNSSEC should change the 
business model or service.  I happen to think it should.  I also think 
it will, in time, although I'm not going to try to predict it, except 
perhaps to talk about events that will show the change is in progress. 
But that's a separate discussion.

For the remaining 20% I'll assert that they are technically competent, 
which means if they have fat finger issues, well, we've all had those 
problems.  You get what you deserve and pay for.  What I mean is, these 
folks will either be doing their DNS themselves, because they can, or 
they will be using a third-party service provider.  In either case, 
with any luck they will be using a registrar with a higher level of 
service because they understand the risks and don't want the service 
interruption.  If they're not then they'll have a "mistake" and they'll 
change registrars because they will learn from their "mistake".

In other words, the probability of a problem for the 20% is much lower 
than the probability of a problem for the 80%.  And it is the problems 
in the 20% that will be most visible.  The problems in the 80% will 
happen but are unlikely to have a significant on anything in particular.

That's what I think.


-- On July 18, 2012 1:55:50 PM +0000 Vernon Schryver <vjs at rhyolite.com> 
wrote regarding [dns-operations] thoughts on DNSSEC --

> I've throught of a bigger, painfully obvious reason why "send mail to
> support" is an unacceptable answer from a registrar for DNSSEC.  If
> something happens that breaks DNSSEC validation, your entire domain
> will be hosed for the 48 or more hours (e.g. over a long weekend) that
> must be allowed for a mail support cycle.  If your registrar fat
> fingers your DS RRs or you lose your key pair in a disk crash, your
> domain is dead.  Given standard anti-spam checks valid envelope
> domain names, it is possible that you won't even be able send mail to
> your registrar except from a free mail provider or other third party
> account, worsening the authentication and authorization concerns of
> changing keys by mail. Today you can fix broken glue or delegations
> in minutes, but "send mail to support for DNSSEC" sends you back to
> the bad old days decades ago when a misplaced invoice or broken
> authoritative servers would put you off the net for days.
> It might not be quite that bad if your web users and mail recipients
> are using old DNS resolvers.  But if they're using current code with
> defaults such as BIND's "dnssec-enable yes", "dnssec-validation yes",
> and "dnssec-accept-expired no", they'll get the nothing I get from
> http://www.dnssec-failed.com.
> A second thought is prompted by Verisign's DNSSEC Scoreboard
> http://scoreboard.verisignlabs.com/
> http://scoreboard.verisignlabs.com/count-trace.png
> http://scoreboard.verisignlabs.com/percent-trace.png
> Those suggest that a smaller than trivial number of com and net
> domains are current signed, but that they've doubled in the last
> couple of months.  There are a lot of com domains, but a doubling
> time of 60 days wouldn't take long to make a big dent.
> Vernon Schryver    vjs at rhyolite.com
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

More information about the dns-operations mailing list