On Wed, Aug 16, 2017 at 08:21:37AM +0200, Mikael Abrahamsson wrote:
> On Wed, 16 Aug 2017, Mukund Sivaraman wrote:
>
> > 24 / 500 top domains (4.8%)
> > 20548 / 1 million top domains (2.05%)
> >
> > (12 years after introduction of 403{3,4,5})
>
> https://stats.labs.apnic.net/dnssec/XE?o=cXAw1x1g1r1
>
> 20% of European users is behind a validating resolver, in some countries
> it's 70% plus.
>
> So this is now happening, albeit at a not high enough pace. But at least
> it's going in the right direction, and I do believe that there is enough
> people behind validating resolvers that people can't mess up signing their
> zone and push away blame on who needs to fix things.
>
> So at least there is benefit in signing your zone now, there wasn't as much
> before when nobody was validating.
The validating resolver is half of the system.
DNSSEC is brittle. It has an all-or-nothing behavior (that's what it was
designed for) that many businesses cannot afford to bank on if something
were to go wrong. An administrative error or signer software bug on the
authoritative side can take the whole zone down and every service with
it (as DNS is at the head of network activity). Software is still not
perfect, so I don't know how this can change - I see practical signer
bugs still that take down the zone entirely. It's also still painfully
inconvenient to update parent zones, that makes fixing mishaps
difficult. The amount of damage that a break in DNSSEC validation chain
could do is far greater than other implementations of crypto such as TLS
where it is limited to a service.
(Note that I'm not advocating against DNSSEC, as much as this email may
sound so. The things I mention are practical issues that I see as an
implementor.)
A colleague says "If TLD’s allowed UPDATE messages to be processed most
of the issues with DNSSEC would go away. At the moment we have a whole
series of kludges because people are scared of signed update messages."
Mukund
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
