[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: DNSSEC - Signature Only vs the MX/A issue.

To: namedroppers@ops.ietf.org
Subject: Re: DNSSEC - Signature Only vs the MX/A issue.
From: Paul Vixie <paul@vix.com>
Date: Sun, 03 Dec 2006 00:18:01 +0000
Delivery-date: Sun, 03 Dec 2006 00:23:57 +0000
Envelope-to: namedroppers-data@psg.com

> ... blaming my proposal as a distraction seems to be a bit ...unreasonable.
> It may be more reasonable to blame the lack of attraction of DNSSEC to the
> zone operators and the lack of any application driven desire for DNSSEC for
> its failure to take hold up to this point.

i think the lack of attraction is explainable separately from the quality or
complexity of the current official design.  kc said it best, on one of steve
crocker's concalls, when steve asked "what's the one thing the community
needs to begin dnssec deployment?" and kc answered, "motivation."  dnssec is
a classic internet design, demanded by military/government types.  it is not
like the web or ssl, demanded by the market and/or useful for commerce.  if
you're trying to create motivation, then adding an 8th 11th-hour retrenching
isn't the way.  if you're trying to overcome inertia and/or improve the
cost:benefit toward a more compelling level, then again, adding an 8th 11th
hour retrenching to the schedule is not your best move.

> WRT to Ohta's design - I've actually never seen it.  

that's a sad statement in and of itself.  you're acting like a latecomer who
has all the answers but hasn't done a lot of research and/or homework.  since
i know you better than that, i am mystified.  what kind of deployment community
backing have you received that made your current proposal seem useful?

> In general, my proposal is targeted at the space mostly ignored by PNE
> DNSSEC - that of how an application uses signed DNS data.  I don't actually
> consider this a change in direction, rather one that could focus this
> deployment on the use of the data rather than simply the signing of it for
> signing's sake.

as most of us have been saying for a decade, the major reason to deploy dnssec
is that it will protect nameservers from following evil NS/A/AAAA chains.  if
there's a secondary benefit (that dnssec is useful in commerce or antispam
or antiphish or whatever) then such secondary benefits will not be known or
visible until after the basic infrastructure is in place.  that's due to the
chicken-or-egg problem, folks won't sign their zones until it improves their
lives, and folks won't install a validators until it improves their lives.
something had to be the first mover.  obviously, that's the NS/A/AAAA chains.

> ... I'm sure if I had submitted this at the beginning of the NSEC3
> discussions I would have gotten the same "11th hour" comments.  So feel free
> to ignore it - I''ll keep it live as a draft for a year or so and we can
> talk about 11th hour issues again in about a year or two while we're waiting
> for NSEC4.  :-)

here, you are preaching to the choir.  i wasn't going to propose EDNS until
DNSSEC was done, but in 1998 donald eastlake convinced me that there was time.
michael graff and i decided not to propose "slabbed DNS" with security as
metadata in 2002 because we didn't want to muddy the waters.  a bazillion
people have told me not to bother deploy DLV since NSEC3 is coming real soon
now.  a couple of times per year, i drag something up from the old jim galvin
dns-security mailing list archive and repost it to namedroppers under the
subject, "on this date in 1997" or whatever, and it'll be the same thread all
over again.  i hate this whole thing.  dnssec is the worst design-by-committee
effort i've ever seen, both in terms of how late it is, how fuzzy the goals
have been, how often the goals have changed, and how complicated and heavy it
is now that it is trying to be all-things-to-all-people.

but you won't improve it by adding an 8th 11th-hour redesign.  all you could
do would be to convince anybody who has been waiting for dnssec that they'll
have to go their own way.  are you failing to grasp that any change to the
way this stuff works will take at least two years to stop arguing about and
test-in-lab and write code for and so on?  and that the real deployment work
will not begin until those moments stop coming?  and that real deployment
will take five years once it starts?

> You decry my timing and strategy, but I ask you when if not now?  Should I
> have submitted this as a place holder 3 years ago when roughly the same
> argument was made to me?  Should I have waited until NSEC3 was complete -
> if ever?  Never?  If the latter really is the answer, then the IETF is a
> vastly different organization that it used to be.

never.  because the IETF is a vastly different organization than it used to
be.  and while you're hitting on the reasons we tried to start MODA, that's a
separate discussion (and, MODA is dead, since it could not overcome inertia.)

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

Prev by Date: Re: DNSSEC - Signature Only vs the MX/A issue.
Next by Date: Re: DNSSEC - Signature Only vs the MX/A issue.
Previous by thread: Re: DNSSEC - Signature Only vs the MX/A issue.
Next by thread: Re: DNSSEC - Signature Only vs the MX/A issue.
Index(es):
- Date
- Thread