Followup from yesterdays talk on DNSSEC validation by CAs (SC-085)

[Henry Birge-Lee]

Hi all,

I wanted to send a brief followup from my talk at Validation Subcommittee meeting yesterday (part of the Tokyo Face-to-Face meeting).

For reference, I attached the slide deck I used.

Thank you to everyone who provided feedback and to Clint Wilson who was willing to shepherd this and propose it as SC-085 as well as Wayne Thayer (Fastly), Dimitris Zacharopoulos (HARICA), and Ryan Dickson (Chrome) who offered to endorse.

There was also a conversation about the viability of sub-prefix BGP attacks in today's route table. The statistics I was referencing were based on calculations I made as part of a recent paper "Global BGP Attacks that Evade Route Monitoring" which was published in the Passive and Active Measurements conference ( https://link.springer.com/chapter/10.1007/978-3-031-85960-1_14 also attached for reference) and was an invited plenary at RIPE 89 in Prague ( https://ripe89.ripe.net/archives/video/1540/ ). The measurements I was referring to are in Section 4. This measurement was based strictly on prefix count and found 62% of prefixes in the global route table had immunity to sub-prefix BGP hijacks. Some work suggests that given the significant adoption of RPKI by cloud and hosting providers, this figure may be higher if measured as IPs seen in domain A records. I should also note that this is a rapidly moving target as RPKI deployment increases and existing RPKI deployments are improved (e.g., if AWS were to move to scoped ROAs which would have prevented a known hijack against as AWS-hosted TLS domain, RPKI protection of TLS domains could increase significantly).

I will edit the ballot text per the discussions yesterday and keep everyone updated.

Best,

Henry