On Wed, Apr 21, 2021 at 08:23:52PM -0400, Viktor Dukhovni wrote:
> I am suggesting that Google can easily do DNSSEC for google.com, they likely
> face non-trivial adoption barriers with global DNSSEC load-balancing, and
> other specialised tech. I am just saying the old excuses are tired out, we
> can and should move on.
P.S. My typo (crucial skipped negation) in the above may have given
rather the wrong impression. I meant to write:
I am *not* suggesting that Google can easily do DNSSEC for
google.com, ...
There are likely significant complexities in making changes at Google's
scale, given all the specialised machinery in use for DNS load-balancing.
Mind you, there could be an opportunity to revisit this once support for
DNS SVCB/HTTPS records is ubiquitous. In a clean-slate design the
targets of these can be stable names in unsigned zones, with all the
dynamic IP responses limited to those zones:
; Signed largely static data:
;
example.com. 1D IN HTTPS 0 www.dyndns.example.com.
_443._tcp.example.com IN TLSA 2 1 1 ...
;
www.example.com. 1D IN HTTPS 0 www.dyndns.example.com.
_443._tcp.www.example.com IN TLSA 2 1 1 ...
; Unsigned, short TTL dynamic data, client-subnet dependent, ...
;
www.dyndns.example.com. IN A ...
www.dyndns.example.com. IN AAAA ...
and all the short TTLs, non-DNSSEC load-balancers, ... limited to just
such specialised zones.
--
Viktor.
