On Fri, Nov 8, 2019 at 4:18 PM Stephen Farrell <[email protected]> wrote:
> > Hi Paul, > > On 08/11/2019 23:11, Paul Wouters wrote: > >> I will also need to monitor the added load on the servers, although > >> I don't expect it to be a problem. > > That’s not an issue. > > > >> I realize that not everyone agrees with this level of > >> caution/fear/lack-of-backbone (I am sure there are other > >> descriptions people would prefer). > > It’s far too late for that level of concern by you. > It seems odd that you're telling someone what they > ought not be worried about. Wouldn't it be better > to be convincing that there's nothing to worry about? > (E.g. via stats.) > I was curious as to whether there are any easy-to-find stats or other information on validation failures. (Short summary: not a lot, not detailed, mostly anecdotal or summary information.) The closest thing to stats I could find were: https://www.theregister.co.uk/2018/02/28/dutch_name_authority_dnssec_validation_errors_can_be_eliminated/ The relevant information was that "The rate of validation error is now 30 per million DNSSEC lookups." I'd say that is low enough to not worry. More anecdotal stuff is at https://ianix.com/pub/dnssec-outages.html which lumps together information about TLD failures (now very rare), sites with failures (becoming increasingly uncommon and having smaller impact), and durations (typically a week or less on average, but again, this is anecdotal not statistical.) My view is the pendulum is swinging in the other direction, i.e. that the next push needs to come (and will come) from the signing of domains rather than validating by resolvers, for leading aggregate DNSSEC uptake. The support for DNSSEC signing in software, including management of automated unattended signing, has drastically improved, to the point where IMHO you would have to try to find software or operators that don't do things to facilitate reliable signing. YMMV, of course. But, fear of rampant validation failures is entirely misplaced at this point. Enough validation is being done, that such failures need to be considered the responsibility of the signers, not the validators. Sign, by all means, but expect that resolvers will validate, and take appropriate measures to monitor and alert on failures. Brian
_______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
