[anti-abuse-wg] anti-abuse-wg Digest, Vol 145, Issue 7

Dear colleagues,

Thank you all very much for your constructive comments. Please make sure you contribute in the document itself, so our experts can take your views into account when finalising the document.

As an explanation. IS3C focuses on the deployment of all security-related Internet standards and ICT best practices. See e.g. the list of 23 Internet standards (of which one is a best practice) we developed recently that all organisation can use when procuring ICTs. The alternative narrative we are working on now, can be used for all standards and best practices (for more information, see is3coaltion.org).  Also, we make a clear distinction between organisations that need to take action themselves and organisations that need to demand this level of security to be built in by design when procuring ICTs, by adding them to their procurement demands. The arguments most likely will vary between the two. Please keep this in mind.

Why DNSSEC and RPKI? Among IS3C's members the desire arose to have one Working Group focus on two standards only. Consensus led to DNSSEC and RPKI, which led to natural partners. Where your concerns on DNSSEC are concerned, please add them in the doc so that they can be added into the final document. Also, please add the solution, so it can be taken into account as well.

Should you be interested to participate in our work in the future, please let me know and I will guide you to our membership list. Finally, I am reaching out to you as the Dynamic Coalition's coordinator.

Thank you again, as your comments are very valuable to us.

Kind regards,

Wout de Natris

IS3C: Making the Internet more secure and safer

________________________________
From: anti-abuse-wg <anti-abuse-wg-bounces at ripe.net> on behalf of anti-abuse-wg-request at ripe.net <anti-abuse-wg-request at ripe.net>
Sent: Tuesday, March 12, 2024 9:57 AM
To: anti-abuse-wg at ripe.net <anti-abuse-wg at ripe.net>
Subject: anti-abuse-wg Digest, Vol 145, Issue 7

Send anti-abuse-wg mailing list submissions to
        anti-abuse-wg at ripe.net

To subscribe or unsubscribe via the World Wide Web, visit
        https://mailman.ripe.net/
or, via email, send a message with subject or body 'help' to
        anti-abuse-wg-request at ripe.net

You can reach the person managing the list at
        anti-abuse-wg-owner at ripe.net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of anti-abuse-wg digest..."


Today's Topics:

   1. Re: IS3C public consultation on an alternative narrative to
      deploy Internet standards (David Conrad)
   2. Re: IS3C public consultation on an alternative narrative to
      deploy Internet standards (John Levine)
   3. Re: IS3C public consultation on an alternative narrative to
      deploy Internet standards (Alessandro Vesely)


----------------------------------------------------------------------

Message: 1
Date: Mon, 11 Mar 2024 19:55:17 +0000
From: David Conrad <drc at virtualized.org>
To: Wout de Natris <denatrisconsult at hotmail.nl>
Cc: "anti-abuse-wg at ripe.net" <anti-abuse-wg at ripe.net>
Subject: Re: [anti-abuse-wg] IS3C public consultation on an
        alternative narrative to deploy Internet standards
Message-ID: <3D269691-628C-49B5-B173-B01518B92EB9 at virtualized.org>
Content-Type: text/plain; charset="utf-8"

Hi,

I've focused my comments specifically on the section entitled "The Alternative Narrative, a Call To Action for Leaders?.

While I understand the desire to encourage DNSSEC and RPKI deployment at the leadership level, however if you??re targeting policy makers and C-levels, I would strongly encourage a balanced, honest approach, one that highlights both the benefits as well as risks. From experience, I believe focusing only on (alleged) benefits and stretching applicability (almost beyond recognition) can be quite counter-productive when the inevitable failures (e.g., https://ianix.com/pub/dnssec-outages.html, https://packetvis.com/blog/rpki-trust-anchor-malfunctions/) occur.

FWIW.

Regards,
-drc
Partner/CTO, Layer 9 Technologies (layer9.tech <http://layer9.tech/>)

> On Mar 11, 2024, at 2:58?AM, Wout de Natris <denatrisconsult at hotmail.nl> wrote:
>
> Dear colleagues,
>
> IGF DC IS3C invites you to participate in the consultation on positively enhancing the deployment of two Internet standards: DNSSEC and RPKI. You are invited to answer either of these questions: Do the arguments used to favor a positive decision, convince you to order deployment within your organisation or from your service provider? / Do they assist you to convince decision takers in your organisation to invest in security by design? You are invited to share your views and arguments with IS3C?s expert team and have been granted commenting rights in this document to do so. The consultation runs from 11 March to 12PM UTC, Friday 5 April 2024. Your contribution will be taken into consideration when finalising the text before publication this spring. Here is the link to the Google Doc:
>
> https://docs.google.com/document/d/1YYq3ie9D03L1Z5ssgPbWKV5becUgNw0h7_fmm9xGWKs/edit?usp=sharing
>  <https://docs.google.com/document/d/1YYq3ie9D03L1Z5ssgPbWKV5becUgNw0h7_fmm9xGWKs/edit?usp=sharing>
> IS3C WG 8 work document <https://docs.google.com/document/d/1YYq3ie9D03L1Z5ssgPbWKV5becUgNw0h7_fmm9xGWKs/edit?usp=sharing>
> docs.google.com <http://docs.google.com/>
> We hope to receive your views so we can present the most convincing arguments to deploy DNSSEC, RPKI and all other security-related Internet standards and ICT best practices. (FYI, this project is sponsored by ICANN and RIPE NCC.)
>
> Kind regards,
>
> Wout de Natris
>
> IS3C: Making the Internet more secure and safer

-------------- next part --------------
An HTML attachment was scrubbed...
URL: </ripe/mail/archives/anti-abuse-wg/attachments/20240311/55076bbb/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 249 bytes
Desc: OpenPGP digital signature
URL: </ripe/mail/archives/anti-abuse-wg/attachments/20240311/55076bbb/attachment-0001.sig>

------------------------------

Message: 2
Date: 11 Mar 2024 17:30:26 -0400
From: "John Levine" <johnl at taugh.com>
To: anti-abuse-wg at ripe.net
Cc: michele at blacknight.com
Subject: Re: [anti-abuse-wg] IS3C public consultation on an
        alternative narrative to deploy Internet standards
Message-ID: <20240311213026.EA5F584E0F56 at ary.local>
Content-Type: text/plain; charset=utf-8

It appears that Michele Neylon - Blacknight via anti-abuse-wg <michele at blacknight.com> said:
>-=-=-=-=-=-
>-=-=-=-=-=-
>
>Serge
>
>Several ccTLD registries have given discounts for DNSSEC.
>
>What is unclear is how many of the domains with DNSSEC enabled are in active use, so the lack of ?problems? could be simply down to a complete lack of us / ignorance that the technology was enabled.
>
>My main issue with focus on DNSSEC is that it is seen being a ?good use? of resources, so small registries who should invest in other things that are fundamentally more important feel obliged to enable
>it. There?s also the entire ?I?ve got DNSSEC so now my domain / site / service is secure? belief. Much like people who think that smacking an SSL cert on their site magically renders it secure.

It makes sense if you're likely to be a phish target or you're
sophisticated enough to use DANE. DNSSEC works pretty well for Comcast.

I agree that for random little private domains the benefit is marginal.

R's,
John



------------------------------

Message: 3
Date: Tue, 12 Mar 2024 09:57:49 +0100
From: Alessandro Vesely <vesely at tana.it>
To: anti-abuse-wg at ripe.net
Subject: Re: [anti-abuse-wg] IS3C public consultation on an
        alternative narrative to deploy Internet standards
Message-ID: <c40c80ee-ada0-496c-acde-2623f13a19a9 at tana.it>
Content-Type: text/plain; charset=UTF-8; format=flowed

On 11/03/2024 22:30, John Levine wrote:
> It appears that Michele Neylon - Blacknight via anti-abuse-wg <michele at blacknight.com> said:
>>
>> Several ccTLD registries have given discounts for DNSSEC.
>>
>> What is unclear is how many of the domains with DNSSEC enabled are in active use, so the lack of ?problems? could be simply down to a complete lack of us / ignorance that the technology was enabled.
>>
>> My main issue with focus on DNSSEC is that it is seen being a ?good use? of resources, so small registries who should invest in other things that are fundamentally more important feel obliged to enable
>> it. There?s also the entire ?I?ve got DNSSEC so now my domain / site / service is secure? belief. Much like people who think that smacking an SSL cert on their site magically renders it secure.
>
> It makes sense if you're likely to be a phish target or you're
> sophisticated enough to use DANE. DNSSEC works pretty well for Comcast.
>
> I agree that for random little private domains the benefit is marginal.


DNSSEC everywhere would make more sense than HTTPS everywhere, which
instead won the hype.  Being sure to connect to the IP designated by the
domain is essential, while encrypting every page of sites like, say,
wikipedia is just wasting cycles.


Best
Ale
--









------------------------------

Subject: Digest Footer

--

To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://mailman.ripe.net/


------------------------------

End of anti-abuse-wg Digest, Vol 145, Issue 7
*********************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </ripe/mail/archives/anti-abuse-wg/attachments/20240312/bbd57ce0/attachment-0001.html>