[dns-operations] DNSSEC deployment incentives

Viktor Dukhovni ietf-dane at dukhovni.org
Wed Jun 19 01:26:49 UTC 2019

On Tue, Jun 18, 2019 at 08:59:59PM -0400, Phillip Hallam-Baker wrote:

> There is no reason to think that DANE is going to deploy automatically
> simply by waiting longer. The DNS registrars have no interest in supporting
> the TLSA record using the tools they make available to the vast majority of
> their customers. They won't do that because it will take cash out of their
> pocket.

But Let's Encrypt de-monetized certificate issuance, so now that
obstacle is moot.

> And BTW: If we count trust roots the way that the EFF did, DNSSEC has a
> million trust roots (or however many zones are signed) not one. It was an
> utterly bogus comparison.

This is in turn a false analogy.

There are somewhere between 10-11 and million signed zones, BUT
they cannot issue certificates for anybody else, just their own
domain and below.  If we're simply counting trusted keys, then every
one of the 4+ billion keys in the CT chain is a trusted EE key (for
its own name).

The number of *configured* trust-anchors is often just the root
key, but intramural corporate deployments can and should publish
internal trust-anchors for their own domains' internal DNS.

The trust-model supports delegation with built-in name constraints,
which is a natural fit for DNS, since that's all the certificates
are about.  If you don't trust your parent zone, don't register
there, they can take away your domain and assign it to someone else,
and whoever that is, can then a cert from a commercial CA.

So if we accept your analogy, the commercial CA ecosystem has 50
(if I correctly recall your number) fully trusted root issuers, and
then all the parent domains that can reassign your domain trusted
for just their scope, and then anybody with the right access to BGP
to hijack your address space...


More information about the dns-operations mailing list