[dns-operations] DNSSEC deployment incentives

[Jim Reid]

On 17 Jun 2019, at 22:41, Mukund Sivaraman <muks at mukund.org> wrote:
> 
> What is the factor that stops them [Fortune 500] from signing their domains?

Simple. There’s no compelling business justification or use case. If these existed, those zones would be signed. QED.

Most of the time signers get no benefit from signing, only those validating. Signing introduces more complexity, more costs, more overheads and more risks. There are no obvious benefits from introducing these extra moving parts - just more ways for things to break. And break badly.

Things are not much better on the validation side. Though their risks can be mitigated somewhat with ugly configuration hacks to return possibly bogus answers after validation has failed.

> I suspect many zone operators consider the risk of the services on that name not being available due to operational mistakes/implementation bugs, vs. the risk of poisoning attacks.

There are other factors: lack of a killer app to drive demand, clunky signing tools, key management/rollover is hard, the parent-child DS choreography is difficult to get right, DNSSEC skills are rare and expensive, etc.

> Maybe, fast-forward a few years, if poisoning grows to affect a significant amount of their users/traffic, perhaps they'll move.

Maybe. but poisoning’s a problem for non-validating resolvers, not authoritative side signers. Why should I sign my zone to help some ISP I’ve never heard of that has suffered a poisoning attack? What’s in it for me? A DNSSEC geek could be persuaded to do The Right Thing here. I’m not so sure the CTO or CIO at a Fortune 500 company would be so easy to convince.