Trends in eTLD+1 zone (effective TLD + 1, e.g. example.com, example.co.uk, ...) DNSSEC algorithm adoption. The graph plots the number of delegated domains with a given DNSKEY algorithm in the corresponding DS RRset…
Someone not well informed on the matter was rumoured to say that DNSSEC does not work well with ECDSA P-256. This is far from the case. New implementations are increasingly ECDSA, and further bulk rollovers will happen.…
One thing that needs to be stressed is the importance of monitoring your deployment [unmonitored security should be an oxymoron]. The author's diligence is impressive, and I am sure he learned a lot doing it (kudos),…
I've noticed, but this is well known, and it has perhaps been a while since you've said anything substantively new about them. Your views are well known, and easily found via any search engine. There's likely no…
Looking beyond just .com at three more TLDs, one day later Google signed: * 4740 .com * 925 .page * 662 .org * 413 .net For a total of 6740 new DNSSEC domains. This ongoing activity is reflected in a noticeable recent…
That's done and dusted, what's happening now for example is that today 7620 new .com domains got signed, ~73% of them by googledomains.com. And roughly the same thing is happening every day:…
Cloudflare does not MX-host customer domains, so is not in scope, they DNS-host signed domains, but that's not what the above is about. Google also DNS-hosts many signed domains (under the cloud.goog, .dev and .app…
The timescales that matter are: 2010 - Root zone signed 2012 - Base DANE specification 2013 - First DANE SMTP draft, Snowden 2015 - SMTP DANE TLS RFC 2015 - DANE live at udmedia.de, mailbox.org, posteo.de, xs4all.nl,…
Well, there's also a significant rate of adoption in Brazil. US domains await support from Godaddy et. al., with Godaddy recently announcing that DNSSEC will be available as a standard offering, not just a premium…
Yes, precisely, they and many, many others. The Internet I want to nurture is the decentralized Internet that links millions of independent actors, rather than the walled-garden Internet of 3 cloud platforms. I am of…
A few recent DANE deployments: * infomaniak.ch - Swiss hosting provider * triodos.com - Bank in Spain * startupstack.tech - California hosting company * elbiahosting.sk - Slovak hosting company * isu.net.sa - Saudi…
DNSSEC deployment is growing steadily: https://stats.dnssec-tools.org/images/totalds.svg https://stats.dnssec-tools.org/tld-graphs/com.png https://stats.dnssec-tools.org/tld-graphs/net.png…
That "note" is simultaneously wrong and obvious. Wrong: They've announced plans to also implement inbound DANE. Given that the domains in question are all child domains of mail.protection.outlook.com, they'll have to…
Progress is tracked at: https://stats.dnssec-tools.org/#dnssec
https://news.ycombinator.com/item?id=22817214
Where "larger" really means Google and Yahoo, others as you now see are less zealous about MTA-STS as the main way forward (there's little sign of broad adoption beyond a small number of the largest providers). For…
https://blog.aurynn.com/2015/12/16-contempt-culture
Let's compare notes in 2020 or 2021. Infrastructure upgrades happen slowly... I'll stop now and we'll both find something actually productive to do.
Yawn, would you also like to arm wrestle? I concede that smug superiority gets more karma points than doing the hard work to make a difference. Yes, only ~9 to 10 million domains are presently signed, and most of the…
Yes, DANE works for SMTP. Let's talk again in 2020. Ciao...
gmx.de, comcast.net, freenet.de, mailbox.org, posteo.de and tutanota.de come to mind as counter-examples as well as various universities, the German parliament, various Dutch government domains, and a couple of thousand…
[ For the record, not an invitation to a futile further debate, given your long-standing immutably-held views on DNSSEC. Since you'll probably say the same about my work to get DANE for SMTP up and running, we can stop…
Crypto maximalists don't like additive security mechanisms that reduce the risk and potential scope of attacks, but may not address every possible attack vector. Often the effect of crypto maximalism is reduced…
Other big problems with WebPKI: * DV certificate issuance is based on a leap of faith (TOFU) by the CA. It is vulnerable to BGP hijack, DNS cache poisoning, ... as amply illustrated by the "domain control" "proofs" in…
The 512-bit RSA keys are a distraction. You're allowed to not care about the security of your own domain, but if your DNS hosting provider does not, and you do, get a better DNS hosting provider, all but two (of any…
Trends in eTLD+1 zone (effective TLD + 1, e.g. example.com, example.co.uk, ...) DNSSEC algorithm adoption. The graph plots the number of delegated domains with a given DNSKEY algorithm in the corresponding DS RRset…
Someone not well informed on the matter was rumoured to say that DNSSEC does not work well with ECDSA P-256. This is far from the case. New implementations are increasingly ECDSA, and further bulk rollovers will happen.…
One thing that needs to be stressed is the importance of monitoring your deployment [unmonitored security should be an oxymoron]. The author's diligence is impressive, and I am sure he learned a lot doing it (kudos),…
I've noticed, but this is well known, and it has perhaps been a while since you've said anything substantively new about them. Your views are well known, and easily found via any search engine. There's likely no…
Looking beyond just .com at three more TLDs, one day later Google signed: * 4740 .com * 925 .page * 662 .org * 413 .net For a total of 6740 new DNSSEC domains. This ongoing activity is reflected in a noticeable recent…
That's done and dusted, what's happening now for example is that today 7620 new .com domains got signed, ~73% of them by googledomains.com. And roughly the same thing is happening every day:…
Cloudflare does not MX-host customer domains, so is not in scope, they DNS-host signed domains, but that's not what the above is about. Google also DNS-hosts many signed domains (under the cloud.goog, .dev and .app…
The timescales that matter are: 2010 - Root zone signed 2012 - Base DANE specification 2013 - First DANE SMTP draft, Snowden 2015 - SMTP DANE TLS RFC 2015 - DANE live at udmedia.de, mailbox.org, posteo.de, xs4all.nl,…
Well, there's also a significant rate of adoption in Brazil. US domains await support from Godaddy et. al., with Godaddy recently announcing that DNSSEC will be available as a standard offering, not just a premium…
Yes, precisely, they and many, many others. The Internet I want to nurture is the decentralized Internet that links millions of independent actors, rather than the walled-garden Internet of 3 cloud platforms. I am of…
A few recent DANE deployments: * infomaniak.ch - Swiss hosting provider * triodos.com - Bank in Spain * startupstack.tech - California hosting company * elbiahosting.sk - Slovak hosting company * isu.net.sa - Saudi…
DNSSEC deployment is growing steadily: https://stats.dnssec-tools.org/images/totalds.svg https://stats.dnssec-tools.org/tld-graphs/com.png https://stats.dnssec-tools.org/tld-graphs/net.png…
That "note" is simultaneously wrong and obvious. Wrong: They've announced plans to also implement inbound DANE. Given that the domains in question are all child domains of mail.protection.outlook.com, they'll have to…
Progress is tracked at: https://stats.dnssec-tools.org/#dnssec
https://news.ycombinator.com/item?id=22817214
Where "larger" really means Google and Yahoo, others as you now see are less zealous about MTA-STS as the main way forward (there's little sign of broad adoption beyond a small number of the largest providers). For…
https://blog.aurynn.com/2015/12/16-contempt-culture
Let's compare notes in 2020 or 2021. Infrastructure upgrades happen slowly... I'll stop now and we'll both find something actually productive to do.
Yawn, would you also like to arm wrestle? I concede that smug superiority gets more karma points than doing the hard work to make a difference. Yes, only ~9 to 10 million domains are presently signed, and most of the…
Yes, DANE works for SMTP. Let's talk again in 2020. Ciao...
gmx.de, comcast.net, freenet.de, mailbox.org, posteo.de and tutanota.de come to mind as counter-examples as well as various universities, the German parliament, various Dutch government domains, and a couple of thousand…
[ For the record, not an invitation to a futile further debate, given your long-standing immutably-held views on DNSSEC. Since you'll probably say the same about my work to get DANE for SMTP up and running, we can stop…
Crypto maximalists don't like additive security mechanisms that reduce the risk and potential scope of attacks, but may not address every possible attack vector. Often the effect of crypto maximalism is reduced…
Other big problems with WebPKI: * DV certificate issuance is based on a leap of faith (TOFU) by the CA. It is vulnerable to BGP hijack, DNS cache poisoning, ... as amply illustrated by the "domain control" "proofs" in…
The 512-bit RSA keys are a distraction. You're allowed to not care about the security of your own domain, but if your DNS hosting provider does not, and you do, get a better DNS hosting provider, all but two (of any…