On 27-Aug-14 20:35, Doug Barton wrote: > On 8/27/14 3:03 PM, Timothe Litt wrote: >> So you really meant that validating resolvers should only consult DLV if >> their administrator knows that users are looking-up names that are in >> the DLV? That's how I read your advice. > > You're correct. > >> I don't see how that can work; hence we'll disagree. I think the only >> viable strategy for*resolvers* is to consult the DLV - as long as it >> exists. > > So that leads to a Catch-22, as ISC has stated that they will continue > to provide the DLV as long as it is used. You're saying that people > should continue to consult it as long as it exists. > > Now that the root is signed the traditional argument against continued > indiscriminate use of the DLV is that it makes it easier for > registries, service providers, etc. to give DNSSEC a low priority. > "You don't need me to provide DNSSEC for you, you can use the DLV." > Based on my experience I think there is a lot of validity to that > argument, although I personally don't think it's persuasive on its own. > I don't want to see indiscriminate use of the DLV. See below. > While I appreciate the tone of reasoned discourse in the message I'm > responding to, what you have done is provide additional details to > support your thesis that changing providers is hard. I'm not arguing > the contrary position, so we can agree to agree on that. What you > haven't done is provide any evidence to refute my thesis that "It's > hard" != "It's impossible." I'll even go so far as to agree with you > that in some cases it's really, really hard. > For me, it's impossible. I've stated why. I am a very small player - I run a network for my extended (multi-state) family, and some free services for a few hundred former colleagues. I considered the options that you suggested - they are not practical, affordable or both. No ISP in my geography will provide DNSSEC for reverse DNS. I have asked (in dnssec-deployment) for help in pressuring the ISPs to solve this problem. Comcast (which is not in my geography) has acknowledged the issue, and has "had it on their list" for several years. None of the others have gone even that far.
> What that leaves us with is your position (which I will state in an > admittedly uncharitable way), "Some of us would like to have the > benefits of protecting our authoritative data with DNSSEC without > having to endure the cost and inconvenience of migrating our resources > to providers that support it. Therefore the entire Internet should use > the DLV." In contrast, my position is that people and/or organizations > which need the protection of DNSSEC should vote with their feet. In > this way providers that offer DNSSEC will be rewarded, and those that > do not will be punished. I would vote with my feet if I could. I can't. The problem with your market driven approach is that ISPs are largely unregulated monopolies. At least, for those of us who are based in residences/small businesses. I'm fortunate to have 2 cables pass my house - fiber and cable TV. Only the fiber provider has enough outbound bandwidth for site-site backup, which I get for $<low 3 figures>/mo. The cable TV-based provider says 'yes since you have business class service (static IPs), we will provide a fiber to your premises. First, there's the engineering study for $<5 figures>, then a construction fee, then %<4 figures>/month...unless you want serious bandwidth, in whch case it's more." So there's no competition. Neither cares about DNSSEC. Neither is required to care by regulation, RFC, ICANN/IANA or organized community pressure. The answer is different when you're an enterprise with a large budget. I've been there. "Let us consolidate your voice & data networks; sure, we'll eat the engineering costs of switching you to a few OC-48 fibers; saves us money maintaining all those copper wires. You want a couple of dark fibers, and a couple of hundred PI IP addresses routed - no problem. Switch your phone system to VoIP too? Oh, you got a quote from them, including running new fiber from the highway to your plant for free? Let me re-work our numbers. Can we shine your shoes?" When you pay several $100K/mo for bandwidth per site, it's amazing how responsive vendors can be. So your approach works for some, according to the golden rule (she who has the gold, makes the rules.) > Completely aside from what I believe to be the absurdity of your > argument, the position I suggest will almost certainly result in > market forces which encourage the deployment of DNSSEC. At bare > minimum it has the moral value of rewarding providers who have done > the right thing. > I don't think it's absurd to note that people in my position - and there are a lot of us - are forced to use DLV for some cases. The most prominent is reverse DNS. We *can't* switch providers. We *can't* get IP addresses from other sources (and get them routed) without literally going bankrupt. Since no one can predict what names a validating resolver will be asked for, resolvers should check DLV. That rewards those of us who sign our domains any way we can. That's separate from "when should DLV be used". Before the root was signed, I used DLV for my forward domains. As my TLDs were signed, I asked my registrars to accept my DS records; switched registrars (and told them why) when they did not. So I did my (small) part by using the market where I could. I want only the minimum number of entries in the DLV, and I want the requirements for those entries to go away. The registry agreements for the new TLDs all require DNSSEC support; that's a good thing. That we can't get the same for in-addr.arpa, ip6.arpa is frustrating. I'm also on record saying that it would be reasonable for ISC to ask those with DLV entries that can also be reached thru a trusted path from the root to consider removing them. (I don't say force removal, because there are some rare circumstances where DLV is used to override a bogus root path.) So I'm in favor of pressure to reduce DLV entries to the bare minimum. And I'm in favor of market pressure where possible, and community/regulatory pressure to eliminate the need for DLV entries. That's not an instant fix, but it's not catch-22. Eventually it ought to be possible to empty DLV. And after it's empty (or nearly so), it can go away. > I realize that it's unpopular to state some of these ideas in such a > direct way, and I hope no one is offended by one person's opinion. I > also realize that those who wish to receive the benefits of DNSSEC > without enduring the aforementioned costs will not like my argument. I > can't help you there. :) > Aside from the use of the word 'absurdity', I'm not offended. I am trying to educate. And while I recognize that I'm arguing pragmatism with a market purist, hopefully the OP (and others) will learn why some of us have a slightly different view of how to get to the end goal. And why my advice for resolvers is 'check DLV', while my advice for domain owners is 'take reasonable steps to stay/get out of DLV, but use it if you *must*'. We're actually not that far apart... > Doug
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
