MoinQ:

1. DNSSEC/2019

Major DNSSEC Outages and Validation Failures Updated: June 17, 2019 https://ianix.com/pub/dnssec-outages.html

https://blog.apnic.net/2019/06/12/network-protocols-and-their-use-bgp-and-dnssec/

1.1. 失敗の理由

Network protocols and their use: BGP and DNSSEC

By Geoff Huston on 12 Jun 2019

前半はBGPの話

後半がDNSSEC


We have all heard of the transition of the Internet from an environment of overly credulous mutual trust and lack of scepticism over the authenticity of the data we receive from protocol transactions that occur over the Internet to one of suspicion and disbelief, based largely on the continual abuse of this original mutual trust model.


DNSSEC was a protocol extension to the DNS intended to provide exactly that level of assurance and yet, it has so far been a failure.

Read: The state of DNSSEC validation

In the case of DNSSEC, the stories of its failure stretch across its twenty years of progressive refinement.

This use of a single trust point is both a feature and a burden on the protocol.

Yet even with this care and attention to a trusted and secure root, 
DNSSEC is still largely a failure, particularly in the browser space.
The number of domains that use DNSSEC to sign their zone is not high, and the uptake rate is not a hopeful one.

Perhaps two additional comments are useful here to illustrate this point. ...

In many cases (more than a third of the time) the stub resolver interprets this 
as a signal to re-query using a different recursive resolver, 
and the critical information of validation failure and the implicit signal of DNS meddling is simply ignored.

The commercial success of the Web PKI, which was an alternative approach to DNSSEC, appears to support this proposition.

Protocol failure or market failure?

Why has DNSSEC evidently failed? Was this a protocol failure or a failure of the business model of name resolution?

The IETF’s engagement with security has been variable to poor, and the failure to take a consistent stance with the architectural issues of security has been a key failure here.

But perhaps this is asking too much of the IETF.