back to article Dutch name authority: DNSSEC validation errors can be eliminated

DNSSEC, which secures the ancient domain name system, is important to Internet security and privacy, but as APNIC luminary Geoff Huston wrote last week, there's evidence that its use could be declining. “From the validation perspective, the use of DNSSEC appeared to have peaked in early 2016 and has been declining since then”, …

  1. sequester

    DNSSEC is a pain in the butt.

    Too many half-baked standards, lots of concessions to legacy low-performance systems (KSK/ZSK dychotomy for example, or reliance on outdated crypto standards), stupid set-up requirements and performance at different registries (the Irish all but require you to fax in key material, if you're dealing with the Danish it may be impossible or at least hard for your registrar to automate processes, and generally you will have a lot of manual work to be done and paid for somewhere), and it's generally high-maintenance for the zone maintainer. You need to somehow set up and maintain a rollover mechanism, cater to all the above idiocy for every single registry you're dealing with, and then stupid ISPs will still randomly break name resolution so your company will randomly be unreachable in most of a country if it's the ex-state-telecom monopoly deciding to be the one.

    It's just pain from start to finish, for little to no gain.

    It's a bit like modern Web "standards": they're fine if you're a stereotypical tech hipster doing your little dysfunctional demo page, but once you need to do some work and generate revenue, you start to realise that all the specifications are more like rough guidelines that nobody follows and you are dealing with a deluge of fragmented little ecosystems, and if you can you just skip over the mess.

  2. Crypto Monad Silver badge

    Solution looking for a problem

    It's pretty obvious when you think about it.

    * At the content provider side: turning on DNSSEC signing can do only one thing, which is increase the risk of their users seeing SERVFAIL errors in the event that there's a DNSSEC misconfiguration. This admittedly includes those SERVFAIL errors generated if someone else tries to spoof their domain (rare). Most content providers are very sensitive to losing eyeballs, because that turns directly into lost revenue.

    * At the access ISP side (eyeballs): turning on DNSSEC validation can do only one thing, which is increase number of SERVFAIL errors seen by users accessing misconfigured DNSSEC domains. Those errors turn into support calls ("I can't access, but my friend who uses a different ISP can. Fix your broken ISP!"). Those support calls cost money.

    As for those listed applications: DKIM, DMARC and SPF *don't* require DNSSEC. DANE does, but it's not being used for anything. If a technology doesn't have a business justification, it won't be deployed, no matter how cool.

    1. Dan 55 Silver badge

      Re: Solution looking for a problem

      If a technology doesn't have a business justification, it won't be deployed, no matter how cool.

      If it were up to business justifications we'd still have a button to shop online with HTTP if HTTPS didn't work. If you don't remember that was offered by Amazon in the mid-late 90s.

      That was quite advanced other online shops didn't even give you the HTTPS option.

      1. This post has been deleted by its author

        1. DJV Silver badge

          "too many half-baked standards"

          Obligatory xkcd:

    2. Drew 11

      Re: Solution looking for a problem

      "DANE does, but it's not being used for anything."

      Because Google and Mozilla refuse to bake it into their browsers.

      That's the only thing holding it back.

  3. Tomato42


    this just in: people with licence to print money complain about requirements to add security and invest back into their business

  4. Crypto Monad Silver badge

    "invest back into their business"? Investment needs to have a payback.

    Let's be clear: DNSSEC does not in itself "add security". It generates extra SERVFAIL responses to DNS queries which fail validation.

    It is true that in some cases those failures may be due to someone actively attacking DNS - but there are much simpler solutions to that than DNSSEC.

    And besides: even if you can guarantee that your DNS responses have not been tampered with, DNSSEC does nothing to prevent man-in-the-middle attacks against the traffic as it passes through intervening network elements - a very common example of this being wifi hotspots.

    To deal with that issue you need end-to-end transport security. Running DANE on top of DNSSEC is *one* way to achieve that, and certainly the current CA approach has its problems, but it's unclear that DANE is significantly better.

  5. fluffybunnyuk

    I had russian IP addresses and alot of them sniffing round my DNS server. After implementing DNSSEC they stopped sniffing and went away. Admittedly i could have just blocked the ip range at the network firewall, but it did the job. My main problem with DNSSEC was the extra packet size if i recall.

  6. GnuTzu

    "And, they might blame..."

    Oh, they'll definitely blame their proxy administrator.

  7. Marcel

    Yes, it's hard, but...

    It's a chicken and egg problem.

    Setting up TCP/IP stack used to be hard...

    Setting up Linux with Apache and MySql used to be hard...

    Setting up SSL/TLS on your website used to be hard...

    Setting up DNSSEC is hard NOW, but as it matures, knowledge and tooling will improve and it will not be hard anymore and we will reap the benefits.

    Just about everything in the world depends on DNS and it should be secure.

    1. PyLETS

      Re: Yes, it's hard, but...

      I suspect early use cases might include where a provider of a vertical application which needs a higher level of security than otherwise available sufficiently to make it worth installing dedicated client applications - e.g. a bank or other financial trading platform which makes you use their own browser or plugin. But if an application provider can achieve that, I'm unsure that much better security is obtainable by using DNSSEC than would be provided by the application using a restricted CA list.

      So if the benefits of DNSSEC will only occur when enough people use it we're down to a chicken and egg problem. There must be some benefit for a registrar which offers support in the sense more technical site operators who care about security will migrate to them from their competitors.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon