[dns-operations] DNSSEC deployment incentives

Jothan Frakes jothan at gmail.com
Tue Jun 18 00:48:22 UTC 2019


On Mon, Jun 17, 2019 at 3:48 PM Jim Reid <jim at rfc1035.com> wrote:

> On 17 Jun 2019, at 22:41, Mukund Sivaraman <muks at mukund.org> wrote:
> >
> > What is the factor that stops them [Fortune 500] from signing their
> domains?
>
> Simple. There’s no compelling business justification or use case. If these
> existed, those zones would be signed. QED.
>
>
Maybe building upon Jim's wisdom... my personal opinion is that the
benefits of DNSSEC are completely opaque to the user.

Most IT departments are painfully optimized for time and staffing, so the
increased LoE per zone is a factor that is dragging the adoption.

These in harmony are a large contributor.

Also, most There's a pain vs gain factor that is present with the
deployment of DNSSEC - the technology does not provide much visual
indication that it is present (or not) like exists.  SSL certificates have
a visual indication in the broswers' location bar to highlight https vs
http is happening.

IF there were some visual indications to the user that DNSSEC is in effect,
it would go a long way to creating a more visual imparative.

Something along the lines of the key one sees in the browser on https but
for resolutions, as something that would help them understand all the
layers of trust and encryption involved in a DNSSEC signed resolution vs
one which is unsigned, it would probably drive adoption harder.

This is not easy to do because for many websites, there can be dozens of
domains involved in the painting of a page or loading of a mobile app that
occur.  Fonts, JS Libs, CSS, pixel trackers, ads, web3 blockchain stuff
(*cough*), CDN - before you know it there are a heck of a lot of DNS
resolutions to factor into what you'd show the user, in a way that is a
clean UX.

The C-Suite would be more inclined to fund projects that they can wrap
their heads around in a manner like this.  Otherwise we tech-folk are just
speaking "beep-boop" techie lingo to them in an attempt to justify spending
on new gizmos when we mention DNSSEC.

DNS just quietly runs and does its delivery _stuff_ without much attention
except for 404 errors for most folks.  DNS is not unlike plumbing or
electricity in homes - people just know when it is broken, otherwise, not
much attention to the details of it.

-J
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20190617/33f67076/attachment.html>


More information about the dns-operations mailing list