[dns-wg] What about the last mile, was: getting DNSSEC deployed

* Roy Arends wrote:
> Lutz Donnerhacke wrote on 02/16/2007 11:40:14 AM:
>> You can't update the installed base quick enought to gain the benefits
>> of DNSSEC. If the recursing resolvers do not validate, the whole DNSSEC
>> effect is going to zero. You will find about 100000 validating
>> resolvers at end user sites and nobody will sign a zone for this group
>> of geeks.
>
> Ah, you're assuming that folk will en-masse sign their zones for the 
> handfull of validating resolvers ?

Yes. See the reactions to the last announcement of a Swedish ISP.

> Meanwhile, my OS/X and windows boxes are configured (by default) to update
> itself regularly. Some of my applications do that as well. My browsers
> have validation intergrated. Joe end user would not even see the
> difference.... but he's better off than before.

He will see a difference, if some spoofing attacks does not longer work.

> I don't really expect any demand from end-users in general.

I see a strong demand from commercial banking institutes (not really).
Let's assume some major DSL-ISPs does switch on validating. This results in
a trusted DNS for about 60% of there customers (may be more). Now consider
the phishing buzzword.

No, it does not help against clicking on every link and attachment in Outlook.

> I have difficulty believing that there will be any effort from big ISP's
> to do this. It takes a few support calls to have validation switched off
> at the ISPs site, or the ISP will already see their very thin margin
> evaporate.

Most DSL markets are death due to dumping. If you really want to keep
customers, you have to provide more features. Security is a very valuable
feature this days. Adding DNSSEC validating causes a major step-up at least
in press release shootouts.

> That leaves us with pushing code to the end user, in applications and OS,
> which implies coorperation from and education to software developers.

Taking this road means: Redo from start. Never get a reasonable deployment.
Root will not be signed, because there are not enough installations. More
installations will not come up, because the root is not signed and key
maintainence is a mess. Catch-22.

I prefer the other way.

> Since you don't sell access to private end users, I assume you sell bulk
> access, which implies that corps/folks you send access to, have their own
> resolvers in place. They loose.

What do they loose?

>> I can't see your point here.
>
> acl's, firewalls, etc, that decide on source ip address if it can query
> your resolver. I can circumvent that.

How do you want to do this? Please respond by email directly, it's off-topic.

>> You are a geek. But you spoke about end users. And they trust their ISP
>> for the data they received from him.
>
> I'd advice joe end user to validate locally.

They are free to do so. They are free to use any nameserver they want.
But if they use the ISP's recursive resolver, this will be a validating one.

> Just as I'd advice them validate certificates (which browsers do
> automagically). Are you saying that end users should blindly trust their
> http connection, just because it come via their ISP, or the ISP's proxy?

No, you confuse the source of the data. The ISP can validate the integrity
of DNSSEC-signed zones, and it is good to do so. The ISP can't validate the
integrety of HTTPS certificates, because the protocols does not show them to
him without serveral crude hacks.

> You may call me a geek, thats fine, I see it as 'early adaptor'.

We are all 'early adaptors', because we need the blood from the edge.