IS3C public consultation on an alternative narrative to deploy Internet standards
Dear colleagues, IGF DC IS3C invites you to participate in the consultation on positively enhancing the deployment of two Internet standards: DNSSEC and RPKI. You are invited to answer either of these questions: Do the arguments used to favor a positive decision, convince you to order deployment within your organisation or from your service provider? / Do they assist you to convince decision takers in your organisation to invest in security by design? You are invited to share your views and arguments with IS3C’s expert team and have been granted commenting rights in this document to do so. The consultation runs from 11 March to 12PM UTC, Friday 5 April 2024. Your contribution will be taken into consideration when finalising the text before publication this spring. Here is the link to the Google Doc: https://docs.google.com/document/d/1YYq3ie9D03L1Z5ssgPbWKV5becUgNw0h7_fmm9xG... [https://lh7-us.googleusercontent.com/docs/AHkbwyKX2Kk3Ln5vVsuCkXG99FKVph_OJAKVycHnHbNDtU3ypxvkIuZHkBdUoYgSyF8Q-44HL6Bfq8eDGZeMKI2Jyf-_6xgR24RTvX5QEmO69ZSTpnE=w1200-h630-p]<https://docs.google.com/document/d/1YYq3ie9D03L1Z5ssgPbWKV5becUgNw0h7_fmm9xGWKs/edit?usp=sharing> IS3C WG 8 work document<https://docs.google.com/document/d/1YYq3ie9D03L1Z5ssgPbWKV5becUgNw0h7_fmm9xGWKs/edit?usp=sharing> docs.google.com We hope to receive your views so we can present the most convincing arguments to deploy DNSSEC, RPKI and all other security-related Internet standards and ICT best practices. (FYI, this project is sponsored by ICANN and RIPE NCC.) Kind regards, Wout de Natris IS3C: Making the Internet more secure and safer
They’re two very different things so asking about the two and pushing for them at the same time in my view is a bad idea. RPKI is only going to be deployed by network operators and they *should* have the technical ability to do this and doing so is “good” DNSSEC, on the other hand, is available for the many millions of domain names out there and is an incredibly brittle technology. A minor mistake with the deployment will literally kill the domain and all its services. Pushing for DNSSEC adoption by financial services, government and other “enterprise” users makes a lot of sense, but pushing it for all domains is a terrible idea and has more negative impacts than positives. Regards Michele, who has consistently disliked how much time energy and money is pushed into DNSSEC while so many other things aren’t resourced -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ https://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 I have sent this email at a time that is convenient for me. I do not expect you to respond to it outside of your usual working hours. From: anti-abuse-wg <anti-abuse-wg-bounces@ripe.net> on behalf of Wout de Natris <denatrisconsult@hotmail.nl> Date: Monday, 11 March 2024 at 10:01 To: anti-abuse-wg@ripe.net <anti-abuse-wg@ripe.net> Subject: [anti-abuse-wg] IS3C public consultation on an alternative narrative to deploy Internet standards [EXTERNAL EMAIL] Please use caution when opening attachments from unrecognised sources. Dear colleagues, IGF DC IS3C invites you to participate in the consultation on positively enhancing the deployment of two Internet standards: DNSSEC and RPKI. You are invited to answer either of these questions: Do the arguments used to favor a positive decision, convince you to order deployment within your organisation or from your service provider? / Do they assist you to convince decision takers in your organisation to invest in security by design? You are invited to share your views and arguments with IS3C’s expert team and have been granted commenting rights in this document to do so. The consultation runs from 11 March to 12PM UTC, Friday 5 April 2024. Your contribution will be taken into consideration when finalising the text before publication this spring. Here is the link to the Google Doc: https://docs.google.com/document/d/1YYq3ie9D03L1Z5ssgPbWKV5becUgNw0h7_fmm9xG... [https://lh7-us.googleusercontent.com/docs/AHkbwyKX2Kk3Ln5vVsuCkXG99FKVph_OJAKVycHnHbNDtU3ypxvkIuZHkBdUoYgSyF8Q-44HL6Bfq8eDGZeMKI2Jyf-_6xgR24RTvX5QEmO69ZSTpnE=w1200-h630-p]<https://docs.google.com/document/d/1YYq3ie9D03L1Z5ssgPbWKV5becUgNw0h7_fmm9xGWKs/edit?usp=sharing> IS3C WG 8 work document<https://docs.google.com/document/d/1YYq3ie9D03L1Z5ssgPbWKV5becUgNw0h7_fmm9xGWKs/edit?usp=sharing> docs.google.com We hope to receive your views so we can present the most convincing arguments to deploy DNSSEC, RPKI and all other security-related Internet standards and ICT best practices. (FYI, this project is sponsored by ICANN and RIPE NCC.) Kind regards, Wout de Natris IS3C: Making the Internet more secure and safer
Pushing for DNSSEC adoption by financial services, government and other “enterprise” users makes a lot of sense, but pushing it for all domains is a terrible idea and has more negative impacts than positives.
Not if it's done properly, i.e. by the hosting providers. Should your aunt or uncle do it? Probably not. Since SWITCH gives registrars a discount if they sign, the number has risen dramatically, without any problems: https://www.nic.ch/de/statistics/dnssec/ Best Serge -- Dr. Serge Droz Member, FIRST Board of Directors https://www.first.org
Serge Several ccTLD registries have given discounts for DNSSEC. What is unclear is how many of the domains with DNSSEC enabled are in active use, so the lack of “problems” could be simply down to a complete lack of us / ignorance that the technology was enabled. My main issue with focus on DNSSEC is that it is seen being a “good use” of resources, so small registries who should invest in other things that are fundamentally more important feel obliged to enable it. There’s also the entire “I’ve got DNSSEC so now my domain / site / service is secure” belief. Much like people who think that smacking an SSL cert on their site magically renders it secure. Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ https://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 I have sent this email at a time that is convenient for me. I do not expect you to respond to it outside of your usual working hours. From: anti-abuse-wg <anti-abuse-wg-bounces@ripe.net> on behalf of Serge Droz via anti-abuse-wg <anti-abuse-wg@ripe.net> Date: Monday, 11 March 2024 at 12:24 To: anti-abuse-wg@ripe.net <anti-abuse-wg@ripe.net> Subject: Re: [anti-abuse-wg] IS3C public consultation on an alternative narrative to deploy Internet standards [EXTERNAL EMAIL] Please use caution when opening attachments from unrecognised sources.
Pushing for DNSSEC adoption by financial services, government and other “enterprise” users makes a lot of sense, but pushing it for all domains is a terrible idea and has more negative impacts than positives.
Not if it's done properly, i.e. by the hosting providers. Should your aunt or uncle do it? Probably not. Since SWITCH gives registrars a discount if they sign, the number has risen dramatically, without any problems: https://www.nic.ch/de/statistics/dnssec/ Best Serge -- Dr. Serge Droz Member, FIRST Board of Directors https://www.first.org -- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg
It appears that Michele Neylon - Blacknight via anti-abuse-wg <michele@blacknight.com> said:
-=-=-=-=-=- -=-=-=-=-=-
Serge
Several ccTLD registries have given discounts for DNSSEC.
What is unclear is how many of the domains with DNSSEC enabled are in active use, so the lack of �problems� could be simply down to a complete lack of us / ignorance that the technology was enabled.
My main issue with focus on DNSSEC is that it is seen being a �good use� of resources, so small registries who should invest in other things that are fundamentally more important feel obliged to enable it. There�s also the entire �I�ve got DNSSEC so now my domain / site / service is secure� belief. Much like people who think that smacking an SSL cert on their site magically renders it secure.
It makes sense if you're likely to be a phish target or you're sophisticated enough to use DANE. DNSSEC works pretty well for Comcast. I agree that for random little private domains the benefit is marginal. R's, John
On 11/03/2024 22:30, John Levine wrote:
It appears that Michele Neylon - Blacknight via anti-abuse-wg <michele@blacknight.com> said:
Several ccTLD registries have given discounts for DNSSEC.
What is unclear is how many of the domains with DNSSEC enabled are in active use, so the lack of �problems� could be simply down to a complete lack of us / ignorance that the technology was enabled.
My main issue with focus on DNSSEC is that it is seen being a �good use� of resources, so small registries who should invest in other things that are fundamentally more important feel obliged to enable it. There�s also the entire �I�ve got DNSSEC so now my domain / site / service is secure� belief. Much like people who think that smacking an SSL cert on their site magically renders it secure.
It makes sense if you're likely to be a phish target or you're sophisticated enough to use DANE. DNSSEC works pretty well for Comcast.
I agree that for random little private domains the benefit is marginal.
DNSSEC everywhere would make more sense than HTTPS everywhere, which instead won the hype. Being sure to connect to the IP designated by the domain is essential, while encrypting every page of sites like, say, wikipedia is just wasting cycles. Best Ale --
DNSSEC everywhere would make more sense than HTTPS everywhere, which instead won the hype. Being sure to connect to the IP designated by the domain is essential, while encrypting every page of sites like, say, wikipedia is just wasting cycles.
tls gives a bit of authenticity too. modulo trusting a jillion certs built into your browser. dnssec can be a bit of a slog; say the guy who is six days into inline- signing conversion fun. randy
On Mar 12, 2024, at 1:57 AM, Alessandro Vesely <vesely@tana.it> wrote:
DNSSEC everywhere would make more sense than HTTPS everywhere, which instead won the hype.
I figure enabling DNSSEC validation everywhere and signing what makes sense after doing a cost/benefit trade off would be the rational way to go. As signing technologies get more mature, the cost goes down and even the marginal benefit of signing everything would be justified.
Being sure to connect to the IP designated by the domain is essential, while encrypting every page of sites like, say, wikipedia is just wasting cycles.
As Randy points out, TLS also gives you authentication (as long as you trust the myriad CAs) and with more granularity than the IP address. On wasting cycles, if you only encrypt the sensitive stuff, you give away the fact that you’re communicating sensitive stuff when you encrypt. However, I suspect this isn’t particularly in the charter of this mailing list… Regards, -drc Partner/CTO, Layer 9 Technologies (layer9.tech <http://layer9.tech/>)
On Tue 12/Mar/2024 17:24:08 +0100 David Conrad wrote:
On Mar 12, 2024, at 1:57 AM, Alessandro Vesely <vesely@tana.it> wrote:
DNSSEC everywhere would make more sense than HTTPS everywhere, which instead won the hype.
I figure enabling DNSSEC validation everywhere and signing what makes sense after doing a cost/benefit trade off would be the rational way to go. As signing technologies get more mature, the cost goes down and even the marginal benefit of signing everything would be justified.
Right, and I'd guess the number of operators involved in switching to DNSSEC is less than that for HTTPS.
Being sure to connect to the IP designated by the domain is essential, while encrypting every page of sites like, say, wikipedia is just wasting cycles.
As Randy points out, TLS also gives you authentication (as long as you trust the myriad CAs) and with more granularity than the IP address.
Right, and let's note that the chain of trust is hierarchical for DNSSEC, which makes for a clear cut PKI. HTTPS certificate are based on browser/ system/ distro/ user policy choices, a rather hazy infrastructure.
On wasting cycles, if you only encrypt the sensitive stuff, you give away the fact that you’re communicating sensitive stuff when you encrypt.
However, I suspect this isn’t particularly in the charter of this mailing list…
Well, the OP topic is DNSSEC and _Resource_ Public Key Infrastructure (RPKI), which is similar in principle to the domain based hierarchy of DNSSEC. Best Ale --
Hi, I've focused my comments specifically on the section entitled "The Alternative Narrative, a Call To Action for Leaders”. While I understand the desire to encourage DNSSEC and RPKI deployment at the leadership level, however if you’’re targeting policy makers and C-levels, I would strongly encourage a balanced, honest approach, one that highlights both the benefits as well as risks. From experience, I believe focusing only on (alleged) benefits and stretching applicability (almost beyond recognition) can be quite counter-productive when the inevitable failures (e.g., https://ianix.com/pub/dnssec-outages.html, https://packetvis.com/blog/rpki-trust-anchor-malfunctions/) occur. FWIW. Regards, -drc Partner/CTO, Layer 9 Technologies (layer9.tech <http://layer9.tech/>)
On Mar 11, 2024, at 2:58 AM, Wout de Natris <denatrisconsult@hotmail.nl> wrote:
Dear colleagues,
IGF DC IS3C invites you to participate in the consultation on positively enhancing the deployment of two Internet standards: DNSSEC and RPKI. You are invited to answer either of these questions: Do the arguments used to favor a positive decision, convince you to order deployment within your organisation or from your service provider? / Do they assist you to convince decision takers in your organisation to invest in security by design? You are invited to share your views and arguments with IS3C’s expert team and have been granted commenting rights in this document to do so. The consultation runs from 11 March to 12PM UTC, Friday 5 April 2024. Your contribution will be taken into consideration when finalising the text before publication this spring. Here is the link to the Google Doc:
https://docs.google.com/document/d/1YYq3ie9D03L1Z5ssgPbWKV5becUgNw0h7_fmm9xG... <https://docs.google.com/document/d/1YYq3ie9D03L1Z5ssgPbWKV5becUgNw0h7_fmm9xGWKs/edit?usp=sharing> IS3C WG 8 work document <https://docs.google.com/document/d/1YYq3ie9D03L1Z5ssgPbWKV5becUgNw0h7_fmm9xGWKs/edit?usp=sharing> docs.google.com <http://docs.google.com/> We hope to receive your views so we can present the most convincing arguments to deploy DNSSEC, RPKI and all other security-related Internet standards and ICT best practices. (FYI, this project is sponsored by ICANN and RIPE NCC.)
Kind regards,
Wout de Natris
IS3C: Making the Internet more secure and safer
participants (7)
-
Alessandro Vesely -
David Conrad -
John Levine -
Michele Neylon - Blacknight -
Randy Bush -
Serge Droz -
Wout de Natris