>When DNSSEC came out, I admit I was kind of surprised to see how long >it took to be used. I thought it would be adopted faster. There was >insufficient motivation when the system worked well enough and the >problem being addressed was, to many people, largely theoretical. > >When DoH was proposed I admit I was kind of surprised to see how many >implementations rapidly came out. I thought it would take >longer. Developers sure were motivated though. It was addressing >something they really wanted.
DNSSEC has a lot of moving parts that needed to be in place compared to DoH. DoH has the benefit that HTTPS is a very popular protocol on the internet. Almost every HTTPS client can connect to every HTTPS server in the world. There are exceptions, but they are rare. In addition deploying protocols on top HTTPS is very common, there is lots of operational experience with that. In constrast with DNSSEC: 1) You can't really sign your zones unless all of your parent zones are signed. So at least the root and TLDs need to be signed. 2) If you use multiple TLDs then you want all or at least most of them signed. 3) The registry of a TLD has to accept DS records. That's separated from signing. 4) Your registrar needs to accepts DS records and be able to send them to the registries for your TLDs. 5) There need to be enough validating resolvers, otherwise signing is rather pointless. 6) For validating resolvers, small mistakes in DNSSEC signing have significant consequences. There is no fallback. Which also makes validating less popular. 7) DNSSEC requires significantly larger packet sizes. Which tends to cause operational issues if that leads fragmentation. 8) Still mostly unsolved is automatically updating DS records during a key rollover. Very few registries support CDS/CDNSKEY. There are proably some lessons there for DELEG: 1) what needs to in place before we can use DELEG 2) what is the effect of failure _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
