[dns-operations] DNSSEC deployment incentives

Viktor Dukhovni ietf-dane at dukhovni.org
Tue Jun 18 00:17:12 UTC 2019

On Mon, Jun 17, 2019 at 11:42:15PM +0100, Jim Reid wrote:

> > What is the factor that stops them [Fortune 500] from signing their domains?
> Simple. There’s no compelling business justification or use case. If these
> existed, those zones would be signed. QED.

Times change.  The same could be said about IPv6, and the Fortune 500 are
not leaders in IPv6 adoption, and yet the world is starting inexorably to
move to IPv6.

> Maybe. but poisoning’s a problem for non-validating resolvers, not
> authoritative side signers. [...]  What’s in it for me? A DNSSEC
> geek could be persuaded to do The Right Thing here. I’m not
> so sure the CTO or CIO at a Fortune 500 company would be so easy to
> convince.

Well, a knowledgeable CSO might be aware the next MiTM victim may
well be a Certification Authority, say Let's Encrypt.  And that in
the absence of an authenticated CAA records limiting certificate
issuance to just the CA with which you have an established relationship
(and new certificates issued via login to their portal, not some
weak DV "domain-control" proof) that authority might issue certs for
your domains to a BGP hijacker.

The CSO might then choose to have DNSSEC-validated CAA records, and
two-factor auth for DNS-management logins at the registrar, ... and
take whatever other steps are needed to harden their domains against
hostile takeover.


More information about the dns-operations mailing list