[dns-operations] thoughts on DNSSEC
James M Galvin
galvin at elistx.com
Thu Jul 19 16:03:22 UTC 2012
I have evolved to what I consider a more practical view of this issue
over the years. I'm certainly open to reconsideration but here's what
I think today in one sentence: as a practical matter this is not a
significant problem.
I absolutely believe we have a major gaping hole technically, so don't
get me wrong. We should absolutely be seeking better ways to get child
key information in to the parent zone. But that's a separate
discussion.
Here's my rationale for what I believe.
Consider the domain name market in an 80-20 split. I assert that for
80% of the market none of this will matter. The 80% portion of the
market gets bundled services - domain name, email, web hosting, dns,
etc. In that market their DNSSEC services will simply be provided and
they will not know, care, or understand any of the problem you
describe. They will not know the difference between a web site failure
or some kind of DNS failure and they won't care. "Down" for 2 days: oh
well. They are going to get the same level of service for the DNS
failures as they do for their web site failures and they deal with this
just fine today. DNSSEC does not change this business model or service.
We can have a discussion of whether or not DNSSEC should change the
business model or service. I happen to think it should. I also think
it will, in time, although I'm not going to try to predict it, except
perhaps to talk about events that will show the change is in progress.
But that's a separate discussion.
For the remaining 20% I'll assert that they are technically competent,
which means if they have fat finger issues, well, we've all had those
problems. You get what you deserve and pay for. What I mean is, these
folks will either be doing their DNS themselves, because they can, or
they will be using a third-party service provider. In either case,
with any luck they will be using a registrar with a higher level of
service because they understand the risks and don't want the service
interruption. If they're not then they'll have a "mistake" and they'll
change registrars because they will learn from their "mistake".
In other words, the probability of a problem for the 20% is much lower
than the probability of a problem for the 80%. And it is the problems
in the 20% that will be most visible. The problems in the 80% will
happen but are unlikely to have a significant on anything in particular.
That's what I think.
Jim
-- On July 18, 2012 1:55:50 PM +0000 Vernon Schryver <vjs at rhyolite.com>
wrote regarding [dns-operations] thoughts on DNSSEC --
> I've throught of a bigger, painfully obvious reason why "send mail to
> support" is an unacceptable answer from a registrar for DNSSEC. If
> something happens that breaks DNSSEC validation, your entire domain
> will be hosed for the 48 or more hours (e.g. over a long weekend) that
> must be allowed for a mail support cycle. If your registrar fat
> fingers your DS RRs or you lose your key pair in a disk crash, your
> domain is dead. Given standard anti-spam checks valid envelope
> domain names, it is possible that you won't even be able send mail to
> your registrar except from a free mail provider or other third party
> account, worsening the authentication and authorization concerns of
> changing keys by mail. Today you can fix broken glue or delegations
> in minutes, but "send mail to support for DNSSEC" sends you back to
> the bad old days decades ago when a misplaced invoice or broken
> authoritative servers would put you off the net for days.
>
> It might not be quite that bad if your web users and mail recipients
> are using old DNS resolvers. But if they're using current code with
> defaults such as BIND's "dnssec-enable yes", "dnssec-validation yes",
> and "dnssec-accept-expired no", they'll get the nothing I get from
> http://www.dnssec-failed.com.
>
>
> A second thought is prompted by Verisign's DNSSEC Scoreboard
> http://scoreboard.verisignlabs.com/
> http://scoreboard.verisignlabs.com/count-trace.png
> http://scoreboard.verisignlabs.com/percent-trace.png
> Those suggest that a smaller than trivial number of com and net
> domains are current signed, but that they've doubled in the last
> couple of months. There are a lot of com domains, but a doubling
> time of 60 days wouldn't take long to make a big dent.
>
>
> Vernon Schryver vjs at rhyolite.com
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
More information about the dns-operations
mailing list