[dns-wg] What about the last mile, was: getting DNSSEC deployed

Lutz Donnerhacke wrote on 02/16/2007 11:40:14 AM:

> * Roy Arends wrote:
> > explain to me how DNSSEC is dead by doing validation on a stub 
resolver.
> 
> You can't update the installed base quick enought to gain the benefits 
of
> DNSSEC. If the recursing resolvers do not validate, the whole DNSSEC 
effect
> is going to zero. You will find about 100000 validating resolvers at end
> user sites and nobody will sign a zone for this group of geeks.

Ah, you're assuming that folk will en-masse sign their zones for the 
handfull of validating resolvers ?

Meanwhile, my OS/X and windows boxes are configured (by default) to update 
itself regularly. Some of my applications do that as well. My browsers 
have validation intergrated. Joe end user would not even see the 
difference.... but he's better off than before.

I don't really expect any demand from end-users in general. I have 
difficulty believing that there will be any effort from big ISP's to do 
this. It takes a few support calls to have validation switched off at the 
ISPs site, or the ISP will already see their very thin margin evaporate 
(sure sure, you're the exception). That leaves us with pushing code to the 
end user, in applications and OS, which implies coorperation from and 
education to software developers. 

Since you don't sell access to private end users, I assume you sell bulk 
access, which implies that corps/folks you send access to, have their own 
resolvers in place. They loose. 
 
> > And with 'who queries it', you probably mean that you have some list 
in
> > place somewhere that discriminates on ip. Note that I can simply 
passive
> > query your resolver box. You wouldn't even know it is me.
> 
> I can't see your point here.

acl's, firewalls, etc, that decide on source ip address if it can query 
your resolver. I can circumvent that.
 
> > I find those last two statements highly unlikely, but for argument 
sake, 
> > multiply this by cost(crypto(lastmile))*count(users).
> 
> I do not see the need for crypto on the last mile.

That is okay. 
 
> >> > Why should I trust data, validated by my ISP?
> >>
> >> Because you choose him to do so.
> >
> > Eh? No, I rely on it to bring me the data. I'll validate it myself, 
thank
> > you very much.
> 
> You are a geek. But you spoke about end users. And they trust their ISP 
for
> the data they received from him.

I'd advice joe end user to validate locally. Just as I'd advice them 
validate certificates (which browsers do automagically). Are you saying 
that end users should blindly trust their http connection, just because it 
come via their ISP, or the ISP's proxy?
 
> You are still free to do the validation yourself.

Good. I was concerned for a second.
 
I see no point in discussing this further. You may call me a geek, thats 
fine, I see it as 'early adaptor'. 

Roy