Proposal to upgrade missing DNSSEC from notice to warning.

[vaceklu6]

Hello,
I would like to open discussion about change of log level for missing DNSSEC signing.

Here is Lukas Vacek from CZ.NIC and we are running Zonemaster app in Czechia as TLD register. We are trying to convince people to run DNS with DNSSEC here in Czech Republic and I think we are successful. There are over 60% of SLD zones at .CZ that are signed with DNSSEC.

Output from the Zonemaster app is just notice for missing DNSSEC . I think that there should be warning log level.

I know that there is no RFC that say using DNSSEC is mandatory, but I think benefits of DNSSEC overweight its absence. Cons are usually complexity, key management, impact on performance, potential of misconfiguration or increased overhead. Let me write my thoughts about each one.

Complexity - Yes, of course. Whole DNS protocol is really complex and so its security layer should be also. DNSSEC infrastructure works on delegations as well as DNS itself.
Key maintenance - Knot or Bind DNS daemons have their key management and I think it is straightforward. Knot for example can handle their keys by itself. Knot is able to rollover keys automatically or with few manual steps. I think Bind can do the same.
Performance impact - DNS responses are bigger, but link capacity increased and also the performance of CPUs. Our colleagues develop Knot DNS and do benchmarks of DNS daemons. Number of responded queries with DNSSEC is lower but not so crucial. If you are under burst of queries like that, a bottleneck is at linux kernel, in my opinion. Knot DNS daemon at XDP mode can handle almost whole link capacity.
Potential misconfiguration - Admin can use old key algorithms or wrong number of NSEC3 iterations or use NSEC. But there is this Zonemaster app that can lead him to correct configuration options.
Increased overhead - Well it is problem of each security solution. It brings new things and for some inconvenience. But the security should overweight inconvenience and, I think, DNSSEC does it right.

On the other hand benefits of DNSSEC are clear and really worth it. Number of scams and other security attacks are increasing.

I know that big tech companies Google or Amazon do not have signed their main zones. The trend is to have DNSSEC and Zonemaster app should support it. And as I feel it the Zonemaster app do not target to big tech companies, but to those who want to help with their configuration and security. Google and Amazon should know the best what they do.

I tried to think it through from all angles. I am really looking forward on your thoughts.

Thank you.

Kind regards,
Lukas Vacek

[vaceklu6]

I would like to add another words why I suggest to change the log level.

Today, even minor details in an otherwise valid DNSSEC configuration are marked as warnings, while the complete absence of this security is only rated as a notice. This makes the evaluation inconsistent and confusing (a more secure domain ends up with a worse rating).

[matsduf]

If the test case specification is updated recently it includes level of the messages. In this case they need update to be more explicit, include explicit tags and messages including the default levels.

In the implementation the level is set in https://github.com/zonemaster/zonemaster-engine/blob/master/share/profile.json.

All files under https://github.com/zonemaster/zonemaster/blob/master/test-zone-data/ are used for unit testing and are not affecting the implementation as such. That structure contains zone files to test the correctness of the Zonemaster implementation. (Work in progress.)

I will take a look at the levels. Thank you for lifting this up to us.

[jtalir]

We are talking about this box

So according second message at least DNSSEC-07 specification could be updated https://github.com/jtalir/zonemaster/blob/master/docs/public/specifications/tests/DNSSEC-TP/dnssec07.md to include tags and levels.

Not sure about DNSSEC subcategory for first message.

[jtalir]

Or maybe DNSSEC07 should not be triggered here at all since condition ('if DNSSEC at child) is not fulfilled here.

[matsduf]

It is complex.

• DNSSEC07 says "If DNSKEY at child, parent should have DS" so for that missing DNSKEY should not be an issue. For that, having DNSKEY but no DS at parent is an issue.
• DNSSEC11 says "DS in delegation requires signed zone", so for that missing DS at parent should not be an issue. For that, having DS at parent but no DNSSEC is an issue.

I guess an additional test case "Zone should be signed", where signed is defined as having DNSKEY, should be added. For that no DNSKEY would be an issue.

I am investigating and thinking.

[matsduf]

#1423

[matsduf]

Proposed update of the specification making "unsigned" a WARNING: #1425

[matsduf]

Completed by v2025.2

[peterthomassen]

Awesome, that's great! Looking forward to the public deployment so we can all check it out. :) Wishing you a nice holiday season!