[dns-operations] DNSSEC deployment incentives

Viktor Dukhovni ietf-dane at dukhovni.org
Tue Jun 18 04:14:48 UTC 2019


On Mon, Jun 17, 2019 at 09:56:41PM -0600, Dave Warren wrote:

> Same problem with validating. I've got a handful of domains where I 
> don't validate DNSSEC because we needed to resolve them while their 
> DNSSEC was broken and there is simply no incentive to review that list. 

Which is to say that the DNSSEC breakage work-arounds flag-day has
not happened yet.  And domains with broken DNSSEC are getting away
with cost-shifting onto their peers.  This will change as more
resolvers enable validation.  At some point it becomes impractical
to get all the resolvers to work-around your problem, and it becomes
the responsibility of the broken domain to fix it.  As with many
other problems, once the technology is far enough along the adoption
curve.

> Cloudflare's forums are full of customers complaining about 1.1.1.1 not 
> resolving something and at least half the time it is DNSSEC related.

But Cloudflare and Google, and Quad9, ... are big enough to push
back, leaving the responsibility to fix the problem to the guilty
party.  And with more users using their resolvers, the externalities
start to go away.

If someone's domain has DNS breakage (DNSSEC or otherwise),
increasingly they will not be able to rely on everyone else to work
around it.  So another idea for the 2020 (or 2020+x for some other
small x) flag day is:

    * Everyone enables validation, with no exception lists.
    * The domains that are broken do the fixing.

If everyone is validating, problems are discovered and fixed more
quickly at the source.

-- 
	Viktor.



More information about the dns-operations mailing list