recursive lookups for UNSECURE names fail if dlv.isc.org is unreachable and dnssec-lookaside is 'auto'

Timothe Litt litt at acm.org
Wed Aug 27 22:03:27 UTC 2014 

On 27-Aug-14 14:54, Doug Barton wrote:
> On 8/26/14 10:35 AM, Timothe Litt wrote:
>> I think this is misleading, or at least poorly worded and subject to
>> misinterpretation.
>
> I chose my words carefully, and I stand by them.
>
The OP was asking about configuring a resolver (bind's).

Where I thought there could be confusion is in conflating two issues:
1) Should validating resolvers consult the DLV?
2) Should entries be made in the DLV?

So you really meant that validating resolvers should only consult DLV if
their administrator knows that users are looking-up names that are in
the DLV?  That's how I read your advice.

I don't see how that can work; hence we'll disagree.  I think the only
viable strategy for *resolvers* is to consult the DLV - as long as it
exists.

If you meant that an administrator should only put entries in DLV for a
domain:
  a) If there is no direct trust path to the root; and
  b) the domain benefits from being DNSSEC-secured (know your user base)
then we agree.

> I did not say that the DLV has no value, and I specifically mentioned
> that there are circumstances when it is valuable and should be used.
> You clearly have a different view, which is fine.
>
> When it comes to gTLDs, I completely reject the notion that users
> cannot change registrars. It can be hard, no doubt, but it's a
> cost/benefit analysis. If the benefit of DNSSEC outweighs the
> difficulty of moving, then it's worth it. If not, it's not. The fact
> that it's hard doesn't mean it's impossible.
>
"Impossible" is a very high standard.  DNSSEC is only one part of the
cost/benefit analysis in choosing/sticking with a registrar.  And part
of the benefit of DNSSEC goes to the registrant's users, not all to the
registrant - this is hard to account for.  Also, it's not just the
technical/financial difficulty of switching registrars.  Some have
policies/practices that some users find unacceptable; unfortunately, for
quite some time those were the ones that offered DNSSEC.  That's
improving, but it's still an issue in some circles. 

DLV has a different set of costs (and benefits - especially when some
resolvers don't consult it). 

If the question is "how can I implement DNSSEC in my zones", the
preferred path is certainly not DLV.  But if the choice is "a
difficult/expensive switch of registrar or no DNSSEC", DLV is worth
considering.  

> That said, I do recognize that there are situations where a chain of
> trust to the root is not possible (such as some reverse zones). Again,
> this becomes a cost/benefit analysis. For reverse zones if DNSSEC is
> important it may be worth the effort of changing providers, or even
> getting a PI assignment. For TLDs where DNSSEC is not yet available, a
> change may be in order. If enough people vote with their feet in this
> way those providers and TLDs that lose customers may reconsider their
> offerings.
>
> No one said it would be easy. :)
>
> Doug

I agree that a chain to the root is the preferred option.

I would love to vote with my feet.  I have a few small problems with
that strategy.

There is no ISP in my geography that provides dnssec reverse delegation
for IPv4.  Not for lack of complaints/escalations from me. 

There is only one ISP here that offers fiber speeds at prices that an
individual can afford.  So it can afford not to care.

For IPv6 - well, I can't get IPv6 directly from any ISP, but my tunnel
provider does allow DNSSEC reverse delegation.  When my ISP finally
implements IPv6 (promised for over 2 years, but again, they don't care),
I'll have to choose between a direct IPv6 connection with no reverse
DNSSEC, or sticking with my tunnel.

A provider-independent IP addresses is out of reach for all but the
largest/best financed organizations.  Not just getting them, but the
additional costs of having to get them routed.  And just try to get an
ISP to route a small number of IP addresses for a home/small business
(or even medium business) customer...at any price. 

So yes, there are trade-offs and a cost/benefit analysis is helpful. 
And if you're a big enough customer and/or you're fortunate enough to
have a choices that enable a direct trust chain to the root, we agree
that is the preferred choice from a strictly DNSSEC perspective.

Certainly DNSSEC is not easy.  It's getting somewhat easier, though not
fast enough. 

One way to make it easier - for now - is to encourage *resolvers* to
consult DLV.  That allows validated resolution of the domains that
require DLV.  That's a good thing. 

And that's where this thread started.  I think that's the only part
that's strictly on-topic for this list...




-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5159 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20140827/6bac1768/attachment.bin>

More information about the bind-users mailing list