On 4/11/21 7:05 PM, Viktor Dukhovni wrote:
There are of course pros/cons for CT and pros/cons for DNSSEC, but my
take is that architecturally DNSSEC is better suited for securing the
typical domain on the public Internet.
Architectural arguments are great, but pragmatically speaking there seem
to be significant deployment problems with DNSSEC.
Adoption has been hampered
difficult KSK enrollment rollover, immaturity of tooling and by habitual
cynicism from plausibly authoritative voices.
These aren't the problems (except perhaps immaturity of tooling) that
most immediately come to mind.
Where is the easy to understand guide for how to sign your own RRs or
zone(s), and to verify that the signing is properly done?
Which registrars provide tools for signing, or do you have to operate
your own master DNS server in order to do that?
How long does it take for the typical domain name owner to sign their
RRs for the first time?
What's the ongoing commitment in time for a domain owner to maintain
DNSSEC for their RRs?
What's the immediate benefit to the signer from signing one's own RRs?
(Note: if nothing is verifying signatures, the immediate benefit is zero.)
And how do we close these (and doubtless other) gaps?
I'd love for the Internet to be able to make better use of DNSSEC and to
need to rely less on PKI. But for all that I love about this idea, I
don't think this is going to happen until most of these problems are fixed.
Keith
p.s. and I doubt I'm a plausibly authoritative voice on this subject,
but please don't interpret this as cynicism so much as a genuine desire
to get people using these tools.
