Re: DANE of SMTP Survey

[John Levine]

It appears that Tom Ivar Helbekkmo via NANOG  said:
>John Levine  writes:
>
>> I have signed all 300 zones on my DNS servers, but only about half of
>> them have working DNSSEC because there is no practical way to install
>> the DS records.
>
>Sounds like ICANN, having told us for a very long time that they want
>DNSSEC everywhere, should attempt to get a requirement in place that
>registrars have to make it reasonably easy for customers to get those DS
>records installed. ...

Hahahahaha.  At ICANN, anything that might put even the tiniest extra
cost on registrars is a non-starter.  Look at the endless fight about
WHOIS redaction.

Re: DANE of SMTP Survey

[Tom Ivar Helbekkmo via NANOG]

John Levine  writes:

> I have signed all 300 zones on my DNS servers, but only about half of
> them have working DNSSEC because there is no practical way to install
> the DS records.

Sounds like ICANN, having told us for a very long time that they want
DNSSEC everywhere, should attempt to get a requirement in place that
registrars have to make it reasonably easy for customers to get those DS
records installed.  Certificate authorities are now required to honor
CAA records, which need DNSSEC in place to really make sense, so it
would, IMHO, be natural to follow up like this.

-tih
-- 
Most people who graduate with CS degrees don't understand the significance
of Lisp.  Lisp is the most important idea in computer science.  --Alan Kay

Re: DANE of SMTP Survey

[John Levine]

It appears that Tom Ivar Helbekkmo via NANOG  said:
>Jeroen Massar via NANOG  writes:
>
>> No, not even kidding. For many organisations DNSSEC is 'scary' and a
>> burden as it feels 'fragile' for them.
>
>Unfortunately, yes.  And those of us who use it know that this is a
>myth.  With modern software, DNSSEC is quick and easy to set up, and
>works just fine, with no reason for any problems. ...

I wish that were true.  I have signed all 300 zones on my DNS
servers, but only about half of them have working DNSSEC because there
is no practical way to install the DS records.  For names that are
registered through my registrar reseller account, it's easy since my
registrar (Tucows) has an API.  But for the rest of them that my
users have registered somewhere else, either I have to try and walk
them through the process of uploading the DS data themselves, or
they have to give me their account passwords, neither of which is
workable if you have 100 domains, much less thousands.

I know about CDS, and have tried publishing CDS, but none of my
unsigned domains are at the handful of registries that do CDS
bootstrapping.

I've been grousing about this at the IETF and ICANN for years,
people say yes, that's a problem, and nothing happens.

Re: DANE of SMTP Survey

[Tom Ivar Helbekkmo via NANOG]

Jeroen Massar via NANOG  writes:

> No, not even kidding. For many organisations DNSSEC is 'scary' and a
> burden as it feels 'fragile' for them.

Unfortunately, yes.  And those of us who use it know that this is a
myth.  With modern software, DNSSEC is quick and easy to set up, and
works just fine, with no reason for any problems.  The effort invested
is a very low price to pay for the added protection, both directly (by
making sure that spoofing attacks  make resolving fail noticeably),
and through the various added mechanisms you can then apply, such as CAA
records.

> And replacing a DNS key can take a few moments, especially with
> caching of records etc.
> Thus downtime is then ensured.

Not if you do it right.  Add the new key, wait a while, then remove the
old key.  On installations I manage, this is scripted, and done from
cron, rotating ZSKs on a monthly basis.

> Combine that with many shops not having much DNS knowledge in the
> first place, they won't easily get their heads around that barrier.

Now that's a real problem.  If you're going to do X, you should have
someone on staff who knows enough about X to do it right, safely.

-tih
-- 
Most people who graduate with CS degrees don't understand the significance
of Lisp.  Lisp is the most important idea in computer science.  --Alan Kay

Re: DANE of SMTP Survey

[Mark Tinka]

On 6/3/21 23:41, babydr DBA James W. Laferriere wrote:



The Signing of the 'Zone' ,  Can the 'Zone' be signed by a 
self-signed key ?  Or MUST I (and others) rely on a external 
certificate authority ?


Mind you I notice in rfc6487 (note(s)) about self-signed 
certificates .
So Maybe I am being a bit over worried about having to spend more 
money just to keep my 2 ip-ranges routing in light of the RPKI 
initative(s) .


Which Mr. Andrews response below answers quite succinctly ,


Indeed! Thanks, Mark.

Yeah, it's never been obvious or apparent to me that self-signed keys 
for DNSSEC would not be honoured.


My personal zone, as well as my company's one, are both self-signed. 
They've both been working reasonably well, so far.


Mark.

Re: DANE of SMTP Survey

[babydr DBA James W. Laferriere]

Hello Mr. Tinka & Mr. Andrews ,  Please see below .

On Thu, 3 Jun 2021, Mark Tinka wrote:

On 6/3/21 00:25, babydr DBA James W. Laferriere wrote:


The Below is to keep thread of thought accurate ...

On Wed, 2 Jun 2021, Mark Tinka wrote:

* Step 2 - take your time cluing up on getting your zone signed, and
 being part of the solution toward a more secure Internet. No
 pressure, at your pace.




Again ,  Will this handle the case of self-signed only ?


Not sure I understand your question, in both cases of recursion and 
authoritative.


	The Signing of the 'Zone' ,  Can the 'Zone' be signed by a self-signed 
key ?  Or MUST I (and others) rely on a external certificate authority ?


Mind you I notice in rfc6487 (note(s)) about self-signed certificates .
	So Maybe I am being a bit over worried about having to spend more money 
just to keep my 2 ip-ranges routing in light of the RPKI initative(s) .


Which Mr. Andrews response below answers quite succinctly ,

On Thu, 3 Jun 2021, Mark Andrews wrote:

DANE works with self generated CERTs.  The TLSA record provides the 
cryptographic link back to the DNSSEC root.


Thank You Mr. Andrews ,  Muchly . Is what I was hoping for .

Thank You Both .  JimL
--
+-+
| James   W.   Laferriere| SystemTechniques | Give me VMS |
| Network & System Engineer  | 3237 Holden Road |  Give me Linux  |
| j...@system-techniques.com | Fairbanks, AK. 99709 |   only  on  AXP |
+-+

Re: DANE of SMTP Survey

[Mark Andrews]

DANE works with self generated CERTs.  The TLSA record provides the 
cryptographic link back to the DNSSEC root.

-- 
Mark Andrews

> On 3 Jun 2021, at 22:32, babydr DBA James W. Laferriere 
>  wrote:
> 
> Hello Mark ,
> 
>> On Wed, 2 Jun 2021, Mark Tinka wrote:
>>> On 6/2/21 11:07, Jeroen Massar via NANOG wrote:
>>> 
>>> As for solutions: better education, more improvements to the tools & making 
>>> it easier. CDS records already help a lot. But we might also need to 
>>> improve recovery mechanisms, as f-ups are made, and you don't want to be 
>>> off this Internet thing for too long.
>> 
>> I think DNSSEC implementation needs to be made less scary for folk who are 
>> apprehensive, and broken down into two steps, where step 1 is most 
>> emphasized:
>> 
>> * Enable DNSSEC on your resolvers. Does not require you to sign your
>>  zones. Does not require you to read up on what it takes to sign and
>>  maintain your zones. Does not require you to worry and test for the
>>  next 60 days whether DNSSEC will break your e-mail delivery, e.t.c.:
>> 
>>  dnssec-enable yes;
>>  dnssec-validation auto;
>> 
>> Done! Two lines (BIND, in this case), and off you go.
> 
>Will this handle the case of self-signed only ?
>And as Jeroen Massar mentioned the resignation of a certificate is a tad 
> troubles some for both DNSSEC & DANE .
> 
>> * Step 2 - take your time cluing up on getting your zone signed, and
>>  being part of the solution toward a more secure Internet. No
>>  pressure, at your pace.
> 
>Again ,  Will this handle the case of self-signed only ?
> 
>> Mark.
>Tia ,  JimL
> -- 
> +-+
> | James   W.   Laferriere| SystemTechniques | Give me VMS |
> | Network & System Engineer  | 3237 Holden Road |  Give me Linux  |
> | j...@system-techniques.com | Fairbanks, AK. 99709 |   only  on  AXP |
> +-+

Re: DANE of SMTP Survey

[babydr DBA James W. Laferriere]

Hello Mark ,

On Wed, 2 Jun 2021, Mark Tinka wrote:

On 6/2/21 11:07, Jeroen Massar via NANOG wrote:

As for solutions: better education, more improvements to the tools & making 
it easier. CDS records already help a lot. But we might also need to 
improve recovery mechanisms, as f-ups are made, and you don't want to be 
off this Internet thing for too long.


I think DNSSEC implementation needs to be made less scary for folk who are 
apprehensive, and broken down into two steps, where step 1 is most 
emphasized:


* Enable DNSSEC on your resolvers. Does not require you to sign your
  zones. Does not require you to read up on what it takes to sign and
  maintain your zones. Does not require you to worry and test for the
  next 60 days whether DNSSEC will break your e-mail delivery, e.t.c.:

         dnssec-enable yes;
 dnssec-validation auto;

        Done! Two lines (BIND, in this case), and off you go.


Will this handle the case of self-signed only ?
	And as Jeroen Massar mentioned the resignation of a certificate is a tad 
troubles some for both DNSSEC & DANE .



* Step 2 - take your time cluing up on getting your zone signed, and
  being part of the solution toward a more secure Internet. No
  pressure, at your pace.


Again ,  Will this handle the case of self-signed only ?


Mark.

Tia ,  JimL
--
+-+
| James   W.   Laferriere| SystemTechniques | Give me VMS |
| Network & System Engineer  | 3237 Holden Road |  Give me Linux  |
| j...@system-techniques.com | Fairbanks, AK. 99709 |   only  on  AXP |
+-+

Re: DANE of SMTP Survey

[Mark Tinka]

On 6/3/21 00:25, babydr DBA James W. Laferriere wrote:



Again ,  Will this handle the case of self-signed only ?


Not sure I understand your question, in both cases of recursion and 
authoritative.


Mark.

Re: DANE of SMTP Survey

[Mark Tinka]

On 6/3/21 04:53, Jeroen Massar via NANOG wrote:


 Jeroen
  (who has the majority of domains under my control DNSSEC signed, 
but... not all; need to do the DANE part though still)


You and me both, on the DANE bit :-).

Mark.

Re: DANE of SMTP Survey

[Jeroen Massar via NANOG]

[
 The kicker about DNSSEC is in the dnsviz links, enjoy ;)

 TLDR: As long as the very big providers don't demand DNSSEC / DANE, why bother 
as a small network (just, be prepared to deploy when it starts affecting spam 
scoring or your search rankings), but small networks do benefit unlike the 
large providers with direct peerings.
]


> On 20210602, at 16:57, Scott Morizot  wrote:

[..]
> My large organization [..]

> I know our Internet email team [..]

You are hitting it right on the head as I noted in my previous comment: you 
have multiple (and then possibly even >10) people working on just those 
separate subjects of DNS and email.

Many many shops do not have that luxury, where the email and DNS person is the 
same person, maybe there are 2 people, but that is heaven already.

DNSSEC just becomes really scary for smaller teams, or for teams that are 
small, as it is keys to the kingdom when that fails, and you can't rely on an 
external helper to then run and help you when you need the help. And the 
benefits do not really always outweigh the fragility chances...



Now, in reality, it all should not really matter: the email market, where DANE 
should be prevalently used, is dominated by a few duo-ish-opolies of really 
large mail providers and then there are a bunch of smaller ones.
And these have those large teams and could do DNSSEC and if they want DANE 
indeed just fine, you would think.

If those market 'leaders' decide to enforce yet another new standard, and they 
pick DANE, if you want to either receive or send email to them, things get 
implemented really quickly everywhere, as you'll have to. (in the same way that 
we have SPF/DKIM/DMARC/ARC/STARTTTLS/MTA-STS/etc etc)


But lets check the leaders with many great engineers on staff, what they think 
of this DNSSEC thing (and thus also DANE):

https://dnsviz.net/d/gmail.com/dnssec/ 
https://dnsviz.net/d/google.com/dnssec/ 

https://dnsviz.net/d/microsoft.com/dnssec/ 
 (along with 0x20 errors at my time 
of test)
https://dnsviz.net/d/outlook.com/dnssec/ 

https://dnsviz.net/d/icloud.com/dnssec/ 

https://dnsviz.net/d/aol.com/dnssec/  (no 
UDP over IPv6)
https://dnsviz.net/d/facebook.com/dnssec/ 


One outlier:
https://dnsviz.net/d/comcast.com/dnssec/ 
 (but various RRSIG issues, due to 
alg 5)

seems your team has to be really big to dare to enable DNSSEC ;)

Though, I would not be surprised if they simply don't care about DNSSEC, as 
they have direct links to most networks, thus spoofing DNS becomes a rarer 
option, and that the larger responses are considered to slow things down, thus 
they won't want to enable it because of performance reasons (gotta get those 
ads quicker to the eyeball before they dismiss it).


Thus yes, for a smaller network it is likely a good idea to DNSSEC, because 
your packets will transit multiple links that might change bits, but for the 
very very big, where you mostly peer directly with most networks, DNSSEC is not 
really going to bring you much in terms of authentication of data.

And with the move to DoT/DoH and centralised DNS Recursor services, they really 
don't care about that as TLS solves many (not all, eg auth) of the 
'man-in-the-middle' attacks.

But I am also sure that these large networks can simply flip a switch and 
enable it easily if they really wanted to.

Greets,
 Jeroen
  (who has the majority of domains under my control DNSSEC signed, but... not 
all; need to do the DANE part though still)

Re: DANE of SMTP Survey

[Scott Morizot]

On Wed, Jun 2, 2021 at 8:54 AM Bjørn Mork  wrote:

> Jeroen Massar via NANOG  writes:
>
> > For many organisations DNSSEC is 'scary' and a burden as it feels
> > 'fragile' for them.
>
> For "many"?  Can you name one that doesn't feel like that?
>
> https://www.arin.net/vault/announcements/2019/20190204.html
>
> https://www.ripe.net/support/service-announcements/dnssec-validation-problem-with-ripe.net
>
> DNSSEC *is* scary, fragile and a burden.  The question is whether the
> alternatives are worse.
>

Certainly. It's probably not even difficult. My large organization doesn't
find DNSSEC 'scary' or a burden and didn't even when we started in 2011. It
was simply a technical challenge that needed to be designed and integrated.
We have authoritative DNSSEC signing and recursive DNSSEC validation in
place. Public and internal authoritative DNS is mostly signed and
validation is enforced throughout our multi-layered recursive
infrastructure. A number of other organizations also do DNSSEC and have
been doing it.

I know our Internet email team is aware of the use of DANE for SMTP TLS and
are considering it, but DNSSEC is not a factor at all in their evaluation.
It's a given, just part of the DNS infrastructure they use. And I'm not
aware of any "alternative" that does what DNSSEC does. The only choice is
whether you care about verifiable DNS response integrity or not. As far as
'fragile' goes, I assume that would be implementation dependent. There's no
inherent reason an architecture would be 'fragile'. Or if you mean failure
to properly maintain your zones will break your DNS, that would be true for
any strong integrity assurance mechanism that could possibly be designed.
Integrity assurance means if things are supposed to be secured and cannot
be validated they will not resolve. That's an underlying requirement any
mechanism would have to meet or it's not providing integrity assurance.

Scott

Re: DANE of SMTP Survey

[Jeroen Massar via NANOG]

On 2021-06-02 15:47, Bjørn Mork wrote:

Jeroen Massar via NANOG  writes:


For many organisations DNSSEC is 'scary' and a burden as it feels
'fragile' for them.


For "many"?  Can you name one that doesn't feel like that?


Large organisations with 24/7 NOC teams where at least a few folks work 
more or less the whole week on keeping DNS up and running


And as you note, even then, things happen. Noting that ARIN & RIPE NOC 
are not that super big, they are rather on the small size... their 
problems are just felt really quickly.


Their advantage is that many people will help them out and more 
importantly: they have the right contacts.


Greets,
 Jeroen

Re: DANE of SMTP Survey

[Bjørn Mork]

Jeroen Massar via NANOG  writes:

> For many organisations DNSSEC is 'scary' and a burden as it feels
> 'fragile' for them.

For "many"?  Can you name one that doesn't feel like that?

https://www.arin.net/vault/announcements/2019/20190204.html
https://www.ripe.net/support/service-announcements/dnssec-validation-problem-with-ripe.net

DNSSEC *is* scary, fragile and a burden.  The question is whether the
alternatives are worse.


Bjørn

Re: DANE of SMTP Survey

[Mark Tinka]

On 6/2/21 11:07, Jeroen Massar via NANOG wrote:


As for solutions: better education, more improvements to the tools & making it 
easier. CDS records already help a lot. But we might also need to improve recovery 
mechanisms, as f-ups are made, and you don't want to be off this Internet thing for 
too long.


I think DNSSEC implementation needs to be made less scary for folk who 
are apprehensive, and broken down into two steps, where step 1 is most 
emphasized:


 * Enable DNSSEC on your resolvers. Does not require you to sign your
   zones. Does not require you to read up on what it takes to sign and
   maintain your zones. Does not require you to worry and test for the
   next 60 days whether DNSSEC will break your e-mail delivery, e.t.c.:

         dnssec-enable yes;
 dnssec-validation auto;

        Done! Two lines (BIND, in this case), and off you go.

 * Step 2 - take your time cluing up on getting your zone signed, and
   being part of the solution toward a more secure Internet. No
   pressure, at your pace.

Mark.

Re: DANE of SMTP Survey

[Jeroen Massar via NANOG]

> On 20210601, at 15:15, Moritz Müller via NANOG  wrote:
> 
> Hi,
> 
> DANE for SMTP is not deployed on large scale. Together with researchers from 
> Seoul National University, Virginia Tech and the University of Twente, we 
> would like to understand which challenges operators face when deploying DANE 
> for SMTP.

DNSSEC?

... ;)

No, not even kidding. For many organisations DNSSEC is 'scary' and a burden as 
it feels 'fragile' for them.

Now, over the last few years this fragility has become less, especially with 
DNS servers already doing most of the work for you, but people still find it 
scary, as when DNS breaks (and "it is always DNS", unless it is the network 
full of packets eh, or broken routes, etc), then you lose all your eggs.

And replacing a DNS key can take a few moments, especially with caching of 
records etc.
Thus downtime is then ensured.


Combine that with many shops not having much DNS knowledge in the first place, 
they won't easily get their heads around that barrier.

Hosted offerings (where the shop has 24/7 people just for DNS) are then the 
only way to go, but then why have an Internet, we could just let everything be 
done by a single Monopoly and be done with it.


As for solutions: better education, more improvements to the tools & making it 
easier. CDS records already help a lot. But we might also need to improve 
recovery mechanisms, as f-ups are made, and you don't want to be off this 
Internet thing for too long.

Greets,
 Jeroen

DANE of SMTP Survey

[Moritz Müller via NANOG]

Hi,

DANE for SMTP is not deployed on large scale. Together with researchers from 
Seoul National University, Virginia Tech and the University of Twente, we would 
like to understand which challenges operators face when deploying DANE for SMTP.
Also, we would like to understand how operators deploy DANE successfully.
Finally, we want to develop solutions to simplify DANE deployment for SMTP.

Filling out the survey should take between 10 and 20 minutes.
We would highly appreciate your participation.

https://forms.gle/qpxtbi9zecT4haxC8

Don’t hesitate to drop me a mail if you have questions or remarks.
We’ll share the results with the list after evaluation.

— Moritz

—
Moritz Müller | Research Engineer
SIDN | Meander 501 | 6825 MD | Postbus 5022 | 6802 EA | ARNHEM
T +31 (0)26 352 55 00
moritz.mul...@sidn.nl | www.sidn.nl


signature.asc
Description: Message signed with OpenPGP