On Sat, Feb 13, 2016 at 10:40:44AM -0800, Dave Crocker wrote:
> On 2/13/2016 2:42 AM, Patrik Fältström wrote:
> >On 13 Feb 2016, at 5:35, Viktor Dukhovni wrote:
> >
> >>Yes, I understand that DNSSEC is at present and may indefinitely remain too
> >>high a bar.
> >
> >It is too high a bar just because this is repeated over and over again. Not
> >because it really is.
>
>
> Please explain. The continuing lack of widespread adoption is only due to
> what? The fact that people keep saying it's too hard? It would be easy if
> only they would realize it?
>
> When a market is glacially slow to adopt something, it does not help much to
> blame the market.
Indeed, the incentives have not yet been sufficient, and might
never become sufficiently compelling. There needs to be more
value and fewer disincentives.
I'm working on the value part by adding DANE support to Postfix
and OpenSSL, and contributing to DANE support in Exim. At some
point I'll look at additional open-source TLS toolkits beyond
OpenSSL.
I've also worked with a number of DNS providers to fix their stacks,
so that TLSA record lookups don't routinely fail. The impedance
is much lower now than it was in 2014. The only remaining significant
clusters of problems are at mail.mil and isphuset.no.
I have tickets open with both, but progress if any is glacial.
Adoption of DANE TLSA for email is still low, but growing. At the
MAAWG conference in October I could report ~6k domains with 24
"large enough" to also be listed in Google's email transparency
report. Today it is ~11k domains, with 32 listed in Google's email
transparency report.
The DANE specs were released with no meaningful running code in
sight, and the browsers as the aspirational initial target market.
For various reasons the browsers did not turn out turn out to be
a good fit at the time. So what we're seeing is a much slower
ramp-up in more niche technology segments, with the protocol not
yet widely supported in toolkits. So it is too early to expect
broad adoption.
As for DNSSEC, I've surveyed around 4.6 million (zone-apex) domains,
of these, 110k have DNSSEC for both the domain and at least one
best preference MX host. So it looks like:
domains : dnsssec : dane ~ 400 : 10 : 1
Another data-point is that among the "large enough" domains (listed
in Google's email transparency report at some point in the last
couple of years) I have:
domains : dnssec : dane ~ 70000 : 700 : 32
so here DNSSSEC adoption is ~1% rather than ~2.5%, and dane adoption
among DANE-capable domains is 1:20 rather than 1:10.
If this were steady-state, we should give up. For now, there's
some room for optimism. And yes, I agree with you about not blaming
the market. If we want a different result, work is required to
change the incentives.
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
