> On 25 Feb 2021, at 16:11, Joe Abley <[email protected]> wrote: > > Hi Ulrich, > > On Feb 25, 2021, at 06:53, Ulrich Wisser <[email protected]> > wrote: > >> But this is a real world problem, one that is holding DNSSEC back. >> If you buy DNS operations the operator will usually tell you what algorithm >> they use, you have no choice in that. > > This feels like one of those areas where more specificity is needed. "DNS > operations" is is over-broad; what you mean, I think, is "if you outsource > zone-signing". If you sign yourself and distribute your zone to external DNS > operators then you can add and drop vendors without worrying about key > rollovers, for example.
Ok, I can be more specific. As a small business owner you have no way to move your hosting company to change their DNSSEC configuration. (Besides that you most probably have no idea that it exists.) You should be able to switch hosting providers without thinking about security, a secure transition should be guaranteed by the hosting companies, who can only do it if it is enabled by the protocol. As a larger entity you might have compliance requirements for dnssec. But at the same time you need to follow public procurement rules. You can not always chose service providers freely. Moving your domain should be secure, going insecure is not an option. >> Now if your new operator doesn’t use the same algorithm you can’t switch >> without going insecure. >> I don’t think this is an acceptable situation. > > I agree that this is a factor that ought to be included in the process of > deciding to move vendors. If your proposed new vendor can't do what you want, > then presumably you don't move there. While it's always possible to make > mistakes, it's not at all clear to me that particular problem is something > that needs protocol-level mitigations. > > DNSSEC is normally part of a layered set of defences. In such an architecture > relaxing one layer for a period in order to fix a problem or avoid a more > complicated transition can be a perfectly acceptable answer. Going insecure > for a short period in that context is not necessarily a cop-out; it could > well be smart thinking. I totally disagree. When has switching off security ever been a smart option? It is only considered smart because the process of moving is so complex and error prone. And that is a “feature” of the protocol design. It’s not a law of nature. We could change the design to allow for secure transfer. > > > Joe /Ulrich
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
